Announcement

Collapse
No announcement yet.

port scanning from opendns

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • port scanning from opendns

    Hi, we have received alot of port scans to our new dedicated web server. Our firewall thinks requests from opendns are port scans and blocks the ip address 208.67.222.222.

    We researched further and found out they are not hackers, they are a reputable company. However, we wonder why so many requests are being sent to our servers. It 50+ within a 30minute period. So you can understand why our firewall blocks the ip. The port scanning uses port 53 dns port and UDP - random ports (which is what triggers the scanning)

    I thought this would be an issue to raise. I wonder if when a host blocks opendns ip's anyone using opendns can't access any of the websites stored with that host?

    Is this is the reason so many users of opendns have problems accessing some websites? I wonder how many web hosts just leave this ip blocked, not knowing that it is for opendns.

    This isn't something which is widely spoken of. I've spent hours on the internet and can't really find an info, it surprises me that this isn't an issue which opendns have a page on their site about - info for webhosts?

    Cristiano (top guy!) in dedicated support added the ips to the csf allow list but within minutes it blocked it again! We've now tried them in the ignore list. But why are they port scanning in the first place? It says on the small bits of info I can find on their website, it is not port scans, they are answering requests at a different port or something, but who's making the requests, we didn't have this problem with the vps's?

    Has anyone else had this issue, I've raised it with opendns and also on the csf firewall website, so anyone else who does come across it knows what to do.

    UPDATE: Added to ignore list - blocked again - we need to understand what they are doing and if blocking them is ok, or if it harms connections to servers who block the ip's without realising
    Last edited by sihost; 03-01-2010, 20:06.
    Cheap international calls from mobile phones >

  • #2
    update

    hi, got a rather sarcastic reply from a user at opendns, however he does provide some info once I get through his sarcasm...
    OpenDNS Community > Forums > Port Scanning

    It seems that what is triggering the port scans, is opendns responding to dns lookups by our server by existing web programs doing DNS lookups, especially reverse ones, e.g. against DNSBLs to prevent spam etc. We have recently turned on the spam database checks in csf firewall, and the amount of spam is drastically reduced, maybe it is this that is generating the dns lookups?

    FOUND THIS - IS THIS A VIABLE SOLUTION?
    Sysadmin: Iptables Block or open DNS / bind service port 53
    Last edited by sihost; 04-01-2010, 00:14. Reason: found link
    Cheap international calls from mobile phones >

    Comment


    • #3
      Fyi

      Originally posted by sihost View Post
      hi, got a rather sarcastic reply from a user at opendns, however he does provide some info once I get through his sarcasm...
      OpenDNS Community > Forums > Port Scanning

      It seems that what is triggering the port scans, is opendns responding to dns lookups by our server by existing web programs doing DNS lookups, especially reverse ones, e.g. against DNSBLs to prevent spam etc. We have recently turned on the spam database checks in csf firewall, and the amount of spam is drastically reduced, maybe it is this that is generating the dns lookups?

      FOUND THIS - IS THIS A VIABLE SOLUTION?
      Sysadmin: Iptables Block or open DNS / bind service port 53
      I am still checking as to what I can do here. Will update you shortly in the ticket you have raised.
      Cristiano


      MSN :: cristiano @ eukhost.com
      Skype :: cristiano.dawson

      Comment


      • #4
        Update

        This is to update you that I have made the changes in the server firewall and replied your ticket. I have been monitoring the server and can view the connections from the opendns IP's. They are not getting blocked at the moment.
        Cristiano


        MSN :: cristiano @ eukhost.com
        Skype :: cristiano.dawson

        Comment


        • #5
          Thanks Cristiano, much appreciated!
          Cheap international calls from mobile phones >

          Comment

          Working...
          X