Port #53 Exploit? 1

[IllegalOperation]

Hello all, I apologize for being absent....Ive been out of town for a while. Anyways, I noticed on my dynamic NAT table of my DIA (which happens to be a 827) router an entry Ive never seen before.

The inside address is one of my "private" servers located off the ethernet side of this router, that has asolutely no access to the public world (well at least I thought it didnt). The 192.168.0.1 address has a "deny all" on both the inbound and outbound interfaces of this router.

Well here is what the entry recroded (my public IP removed for security purposes)...

INSIDE GLOBAL INSIDE LOCAL
tcp x.x.x.x:4753 192.168.0.1:4753

OUTSIDE LOCAL OUTSIDE GLOBAL
192.175.48.1:53 192.175.48.1:53


Port #53? DNS? My question is more of a security concern. Are there any known exploits/vulnerabilities to port #53 that I should be aware of? This server is simply a storage server that does not need to communicate with anything outside of its private subnet. The lookup on 192.175.48.1 shows the name of "prisoner.iana.org", which sounds like some fool with a chip on his shoulder about the IANA for some weird reason. Curious, eh? Thanks for the help...

 

[rburke]

Well, I did a little googling around and I found this.

"But this doesn't answer my initial question: what IS this
prisoner.iana.org? Well, once RFC 1918 (and its predecessors, actually) came out, the IANA -- the old name, recall, for the folks in charge of handing out IP address blocks -- realized that they needed a "placeholder" in-addr.arpa zone for the three ranges of non-routable addresses. So they put zones named 10.in-addr.arpa, 16.172.in-addr.arpa, and 168.192.in-addr.arpa on a three DNS servers named blackhole-1.iana.org, blackhole2.iana.org and prisoner.iana.org, at IP addresses 192.175.48.6, 192.175.48.42, and 192.175.48.1, and prisoner is set as the primary DNS server for the zones.

Thus, if one of your systems with a 192.168.x.x address tries to register its PTR record then it will, unless you have a local DNS server with a 168.192.in-addr.arpa zone, end up trying to register with prisoner.iana.org -- which will reject the request. The bottom line is, don't worry about it in most cases. In one case, however, you MIGHT worry about it, if you were running an intranet with a dialup connection to the Internet. If your intranet systems have private addresses and you don't have a local reverse lookup zone for your private addresses then you will cause your systems to try to contact prisoner, which would trigger a dialup. And if you're connected via ISDN in some country not blessed with as low a set of telecomm rates as we enjoy in the US, then that could be a quite expensive proposition. Again, the answer in that case would either be to tell your system not to do dynamic updates at all, or to create a local DNS server with a dynamic 168.192.in-addr.arpa zone.
"

It looks like it is legit and it is just Windows 2k, XP or 2003 doing reverse lookups.

Here is the link where I pulled the above info. I didn't post it all becuase it mainly describes what forward and reverse DNS lookups and I figured no reason to post that.

http://lists.jammed.com/incidents/2002/09/0049.html

Burke

 

[rburke]

But to answer the other part of your post... yes there are exploits for DNS servers, but in general DNS queries are pretty harmless.

burke

 

[IllegalOperation]

Greatly appreciated Burke...