Join Log in
Score:0
C_W_ avatar Server

Google DNS tries to connect to 1433?

ls flag
C_W_

Trying to set up some advanced filtering/firewall policies from one interface to another and I kept having users blocked from various services/strange issues (like cert errors,etc).

The configuration is this: if you hit port 1433, you get added to a block-list

So in this, I've discovered that google's DNS servers are coming back and hitting port 1433!

Can anyone explain WHY on earth they would do this? (I'm going to run a pcap and see if this is a legitimate DNS response or something...but I cant imagine it would be coming back on such a low port #)

[Log file entry] https://i.stack.imgur.com/Amp6U.png

78
1 + 1
cn flag
David Schwartz
You should clarify that this is *UDP* port 1433, not TCP. You say "tries to connect to 1433", but it is not trying to connect -- UDP is connectionless.
0
Reply
Score:6
joeqwerty avatar Server
cv flag
joeqwerty

"They" aren't doing this. Your client initiated a connection to Google's DNS server from it's source port 1433. Naturally Google responds back to this port. This is the expected behavior.

Source IP: Your client ip address

Source Port: 1433

Destination IP: 8.8.8.8

Destination Port: 53

Source IP/Port (you) > Destination IP/Port (Google)

Destination IP/Port (Google) > Source IP/Port (you)

Why is your client selecting port 1433 as the source port? Because it's free to select any unused port as the source port.

Traffic that is a response to a connection that is initiated internally (behind your firewall) typically is not blocked, because the firewall sees this as a response to internally initiated traffic. Your firewall should be blocking traffic to port 1433 that is initiated externally, meaning an external host tries to initiate a connection to port 1433 on a device behind your firewall.

+ 2
C_W_ avatar
ls flag
C_W_
I had that thought also... I guess I'm surprised that fw vendors wouldn't just exclude well known ports, but I suppose the default configuration is to open a connection on any available port.
0
Reply
C_W_ avatar
ls flag
C_W_
the other valid thought we had internally, is that someone is purposefully spoofing the source IP
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.