This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Odd "DNS" traffic

I am seeing log entries like this every 15 seconds:
2015:08:03-22:57:29 sophosutm ulogd[5274]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="x.x.x.x" dstip="208.67.220.220" proto="17" length="28" tos="0x00" prec="0x00" ttl="64" srcport="43978" dstport="53" info="nf_ct_dns: dropping packet: Inappropriately formated record: Only -45 left for type and class

2015:08:03-22:57:29 sophosutm ulogd[5274]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="x.x.x.x" dstip="208.67.222.222" proto="17" length="28" tos="0x00" prec="0x00" ttl="64" srcport="56030" dstport="53" info="nf_ct_dns: dropping packet: Inappropriately formated record: Only -12 left for type and class

Anyone else seeing this in their logs? When I capture the traffic there is not a valid DNS request, I am just not sure what it is doing. I started as soon as I upgraded to 9.314GA and I just completed a reinstall/restore and it is still doing it now.

This thread was automatically locked due to age.

0 Amodin over 9 years ago

I didn't find this, but I sure found a lot of lame server garbage in my DNS Proxy log.

OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
(Former Sophos UTM Veteran, Former XG Rookie)
Cancel
Vote Up 0 Vote Down

Cancel
0 pedja over 9 years ago

I have had the same thing but other protocol, I have had a problem with IPSEC being reported as DNS problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 darrellr_01 over 9 years ago

Definitely only appears on the WAN interface, nothing on internals that would be triggering this activity.  Here is the packet capture, two packets in IPv4 (which appear the be the issue) and then two packets IPv6.

tcpdump -nnvvXi eth2 'port 53 and udp'
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
08:49:03.581767 IP (tos 0x0, ttl 64, id 20521, offset 0, flags [DF], proto UDP (17), length 28)
    x.x.x.x.34173 > 208.67.222.222.53: [bad udp cksum 0xc09f -> 0xb9a5!] [|domain]
        0x0000:  4500 001c 5029 4000 4011 2a22 ***x ***x  E...P)@.@.*"..dH
        0x0010:  d043 dede 857d 0035 0008 c09f            .C...}.5....
08:49:03.581863 IP (tos 0x0, ttl 64, id 37466, offset 0, flags [DF], proto UDP (17), length 28)
    x.x.x.x.36310 > 208.67.220.220.53: [bad udp cksum 0xbe9d -> 0xb34e!] [|domain]
        0x0000:  4500 001c 925a 4000 4011 e9f2 ***x ***x  E....Z@.@.....dH
        0x0010:  d043 dcdc 8dd6 0035 0008 be9d            .C.....5....
08:49:03.581956 IP6 (hlim 64, next-header UDP (17) payload length: 8) x.x.x.x.x.x.x.x.x.x.x.x > 2620:0:ccc::2.53: [udp sum ok] [|domain]
        0x0000:  6000 0000 0008 1140 ***x ***x ***x ***x  `......@&.-.....
        0x0010:  ***x ***x ***x ***x 2620 0000 0ccc 0000  M....(?I&.......
        0x0020:  0000 0000 0000 0002 ea9d 0035 0008 a210  ...........5....
08:49:03.582021 IP6 (hlim 64, next-header UDP (17) payload length: 8) x.x.x.x.x.x.x.x.x.x.x.x.x > 2620:0:ccd::2.53: [udp sum ok] [|domain]
        0x0000:  6000 0000 0008 1140 ***x ***x ***x ***x  `......@&.-.....
        0x0010:  ***x ***x ***x ***x 2620 0000 0ccd 0000  M....(?I&.......
        0x0020:  0000 0000 0000 0002 ba30 0035 0008 d27c  .........0.5...|
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
Cancel
Vote Up 0 Vote Down

Cancel
0 pedja over 9 years ago

Is this a VMware virtual machine ?
Cancel
Vote Up 0 Vote Down

Cancel
0 darrellr_01 over 9 years ago

Yes. I am using ESXi 5.5.
Cancel
Vote Up 0 Vote Down

Cancel
0 scorpionking over 9 years ago
I have this too every minute.
I have set up my DNS forwarders as availability group with checking on port 53 UDP (according to the best practice mentioned in this board):

I guess this is the cause...
----------
Sophos user, admin and reseller.
Private Setup:

XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)

UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Cancel
Vote Up 0 Vote Down

Cancel
0 darrellr_01 over 9 years ago

@scorpionking - Nailed it! Mine was set the same way but with 15 as the interval. I had forgotten about availability groups but knew it had to be something like that. Thanks so much for finding it.

On a side note, as mentioned, this appears to be a bug that has cropped up in the latest version as it has not appeared in logs prior to this. I have temporarily set it to ping rather than udp/53 for now and the log entries have disappeared accordingly.
Cancel
Vote Up 0 Vote Down

Cancel
0 FrankKlous over 9 years ago

I have the same issue after the upgrade to 9.315-2, but what is the solution? Disable the availability group?
Cancel
Vote Up 0 Vote Down

Cancel
0 seroal over 9 years ago in reply to darrellr_01

@klousf: darrellr described his solution already, otherwise you could raise a ticket at sophos, if you´re paying for support:

I have temporarily set it to ping rather than udp/53 for now and the log entries have disappeared accordingly.

Do you have the same setting udp/53 in your availability group?

Regards
Sebastian
Cancel
Vote Up 0 Vote Down

Cancel