Sign in with
Sign up | Sign in
Your question

My firewall intercepts probes from ARPA

Last response: in Networking
Share
Anonymous
June 11, 2004 3:29:36 AM

Archived from groups: comp.security.firewalls (More info?)

(1)
For months I have noticed that each time I dial up the internet my
ZoneAlarm firewall receives a probe or two from DNS=.in-addr.arpa.
Since ARPA (Advanced Research Projects Agency) is the name of the
original Internet, I have kept watch on these probes.

(2)
I had the experience a week ago of dialing the internet without my
firewall. For maybe a minute I had no firewall. When I started
ZoneAlarm, it started logging/blocking probes from DNS .in-addr.arpa.
ZoneAlarm blocked 75 attempts in several minutes!

(3)
The person at my Internet access providers help line at the University
of Minnesota did not know of in-addr.arpa, but said that I shouldn't
use a firewall because the University has their own firewall. Yeh
right!

(4)
Google has strange behavior in searching for in-addr.arpa. It does not
provide any hits for "in-addr.arpa" because it is a domain, but when I
select Google's link to search pages in the domain (from the failure
page), I get 71,000 hits.

Maybe the probes are legitimate and are for management of the
Internet. Or maybe the probes are from my provider. Or maybe I am
being probed by Homeland Security (or al Qaeda).

I would like to know what my firewall is blocking from .in-addr.arpa.
Anonymous
June 11, 2004 9:03:47 AM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 10 Jun 2004 23:29:36 -0500, Stan Hilliard
<usenetreplyUM@samplingplansNOTSPAM.com> wrote:
>
>For months I have noticed that each time I dial up the internet my
>ZoneAlarm firewall receives a probe or two from DNS=.in-addr.arpa.
>Since ARPA (Advanced Research Projects Agency) is the name of the
>original Internet, I have kept watch on these probes.
>

FYI:

http://www.inetdaemon.com/tutorials/internet/dns/revers...
Anonymous
June 11, 2004 1:10:37 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 11 Jun 2004 05:03:47 GMT, shopping.nowthor.com
<nospam@shopping.nowthor.com> wrote:

>On Thu, 10 Jun 2004 23:29:36 -0500, Stan Hilliard
><usenetreplyUM@samplingplansNOTSPAM.com> wrote:
>>
>>For months I have noticed that each time I dial up the internet my
>>ZoneAlarm firewall receives a probe or two from DNS=.in-addr.arpa.
>>Since ARPA (Advanced Research Projects Agency) is the name of the
>>original Internet, I have kept watch on these probes.
>>
>
>FYI:
>
>http://www.inetdaemon.com/tutorials/internet/dns/revers...
>

Thanks.

Followup question:
What would be the purpose of someone looking up the DNS of the
temporary IP of my dialup connection?
Related resources
Anonymous
June 11, 2004 2:27:50 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Stan Hilliard <usenetreplyUM@samplingplansNOTSPAM.com> wrote:
> I would like to know what my firewall is blocking from .in-addr.arpa.

The domain in-addr.arpa is used to associate IP-Addresses with names.
Usually your DNS-Client asks for something like: "give me the address
of www.whitehouse.gov", here the question is in reverse: "give me
the name for 212.23.33.23".

To distinguish these two types of your DNS-client asks for the IP address
as: 23.33.23.212.in-addr.arpa and expects the answer: www.whitehouse.gov.

So, in a sense, everybody is in in-addr.arpa.

Greetings,
Jens
Anonymous
June 11, 2004 11:09:39 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Stan Hilliard <usenetreplyUM@samplingplansNOTSPAM.com> wrote:
> Followup question:
> What would be the purpose of someone looking up the DNS of the
> temporary IP of my dialup connection?

You would not see those requests. What you/your firewall can see, are
your own requests.

Greetings,
Jens
Anonymous
June 12, 2004 5:48:23 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 09:45:14 -0700, Nemo S. <Nemo@Nemo.net> wrote:

>On Thu, 10 Jun 2004 23:29:36 -0500, Stan Hilliard
><usenetreplyUM@samplingplansNOTSPAM.com> wrote:
>
>>I would like to know what my firewall is blocking from .in-addr.arpa.

>Nothing, Nothing at all, ....
>~Nemo~

~Nemo~, I think that you are wrong about that. Something is blocked.

EXAMPLE FROM FIREWALL LOG:
Protocol: UDP
Source IP 81.39.239.22.:2068 (this varies)
Destination IP 128.101.252.182:1026
Direction: INCOMING
Action taken: BLOCKED
Source DNS: .in-addr.arpa
Destination: (MY COMPUTER NAME)

Sincerely, Stan Hilliard
Anonymous
June 12, 2004 5:51:05 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 11 Jun 2004 19:09:39 +0200, Jens Hoffmann <jh@bofh.de> wrote:

>Hi,
>
>Stan Hilliard <usenetreplyUM@samplingplansNOTSPAM.com> wrote:
>> Followup question:
>> What would be the purpose of someone looking up the DNS of the
>> temporary IP of my dialup connection?
>
>You would not see those requests. What you/your firewall can see, are
>your own requests.
>
>Greetings,
> Jens

Jens, What could I be seeing then?
Anonymous
June 12, 2004 6:00:46 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 09:45:17 -0700, Nemo S. <Nemo@Nemo.net> wrote:

>On Fri, 11 Jun 2004 09:10:37 -0500, Stan Hilliard
><usenetreplyUM@samplingplansNOTSPAM.com> wrote:
>
>>What would be the purpose of someone looking up the DNS of the
>>temporary IP of my dialup connection?
>
>
>where have you been surfing, or someone else with that set of IP
>addressess ...

I do many searches for information, including the news. So I don't
keep track of where I surf.

Could I be that I am being spyed on for visiting such places as
aljazeera.com.

Or the now-disabled site that original posted the pictures of the
torture of prisoners at Abu Graeb prison in Iraq?

>it could be someone has done a probe into a sensitive area and set off
>a security robot, is your system a Zombie ...
>~Nemo~

I dont think so, but I don't know what a Zombie is. I have just an
ordinary PC that I connect with 56K dialup,. Otherwise, I use it for
software development.

Stan Hilliard
Anonymous
June 12, 2004 11:41:23 PM

Archived from groups: comp.security.firewalls (More info?)

Stan Hilliard wrote:


> ZoneAlarm firewall receives a probe or two from DNS=.in-addr.arpa.


Those are almost always PTR record requests to a DNS server.

Might be your system is looping back to itself to resolve
a name to ip address, or a server somewhere is misconfigured
and is multicasting DNS PTR record requests on all ports.

Another possibility is your dynamic assignment of ip addresses
may, at times, provide you with an ip address which is also
the address of your server's DNS server.

You log records should reflect those hits on your port 53.

I would not worry much about this.


Purl Gurl
Anonymous
June 13, 2004 3:17:10 PM

Archived from groups: comp.security.firewalls (More info?)

Stan Hilliard wrote:

>I would like to know what my firewall is blocking from .in-addr.arpa.

VisualZone's RDNS lookups.
Anonymous
June 14, 2004 12:37:15 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Stan Hilliard <usenetreplyUM@samplingplansNOTSPAM.com> wrote:
> EXAMPLE FROM FIREWALL LOG:
> Protocol: UDP
> Source IP 81.39.239.22.:2068 (this varies)
> Source DNS: .in-addr.arpa

81.39.239.22 translates to:
22.Red-81-39-239.pooles.rima-tde.net.

Your fireall seems to have no access to a DNS-server, so it just writes
the dns zone instead of the ersolved address into the log.

Greetings,
Jens
Anonymous
June 14, 2004 12:37:53 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

Stan Hilliard <usenetreplyUM@samplingplansNOTSPAM.com> wrote:
> Jens, What could I be seeing then?

See my other post.
Anonymous
June 14, 2004 8:21:57 PM

Archived from groups: comp.security.firewalls (More info?)

Stan Hilliard wrote:

> (1)
> For months I have noticed that each time I dial up the internet my
> ZoneAlarm firewall receives a probe or two from DNS=.in-addr.arpa.
> Since ARPA (Advanced Research Projects Agency) is the name of the
> original Internet, I have kept watch on these probes.

ROTFLMAO!!!
Where is that cluestick when ya need it...

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 14, 2004 8:24:09 PM

Archived from groups: comp.security.firewalls (More info?)

Nemo S. wrote:


>
>
> where have you been surfing, or someone else with that set of IP
> addressess ...
>
> it could be someone has done a probe into a sensitive area and set off
> a security robot, is your system a Zombie ...
>
>
>
> ~Nemo~

He won't see other folks queries (I doubt he is running a DNS server),
only his own.
Some software on HIS PC is making the request.

Like you say, maybe a zombie...

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
!