DNS UDP port probe
advICE :Intrusions : 2003409

Summary

Either a hacker is scanning your system looking for the "DNS" service, or somebody has misconfigured your machine as a DNS server.

Details

DNS is the component that translates names into IP addresses. You don't run DNS yourself, but you must use your ISP's DNS server in order to access the Internet.

This event triggers because somebody has accessed your system as if it were a DNS server, but it isn't one (of course).

There are two reasons why somebody might be doing this:

1. You might have accidentally installed a DNS server that the hacker can use to break into your machine. You may have done this by accident if you've installed Linux, WinNT Server, or misconfigured an Internet Connection Sharing (ICS) product. The hacker is scanning your machine to see if this has happened.
2. Somebody might have misconfigured their machine. Many people configure their machines by hand. One of the items they must configure is which DNS server to use. They have misconfigured their machines to point at your system.

False Positives

If you get probed repeatedly for DNS, then chances are that the "hacker" really is just somebody who has misconfigured their machine.

Statistics

During the first part of the year 2000, we've seen a dramatic rise in the number of DNS probes. This is due to the fact that the most popular Linux product (RedHat 6) can be broken into through the DNS service, and most Linux users install the DNS service by default.

parametric information port The UDP port being probed reason The reason for the port probe. Firewalled the incoming UDP frame was stopped by the firewall. ICMPsent the incoming UDP frame was rejected by the computer.

 
Version appeared: 2.5