# huge amount of outgoing connections on bind/named/53 port

## ryszardzonk

I recently installed Peerguardian/pglinux as an extension to my firewall and it blocks all kind of traffic which I previously did not realize could go through my server. As for my setup my chine servers as local home server for my personal use. Among others I do have DHCP, BIND, NTP, TOR, MLDONKEY installed which might be related to the issue.

Now none of the below connections is something I expect from any of those apps, cause of their config setup, but still mentioning them might be important. Such connections happen on very unregulated bases, but when they do there is 100s of them.

 *Quote:*   

> 
> 
> Sep  8 12:16:38 OUT: 192.168.10.xxx:25664  192.203.230.10:53      UDP  || National Aeronautics and Space Administration
> 
> Sep  8 12:16:38 OUT: 192.168.10.xxx:29817  192.112.36.4:53        UDP  || DISA | Government Systems, Inc
> ...

 

Now question is how to check where and why they are coming from. Could it be that my server or one of the machines have been hacked, caatched some kind of trojan/virus or anything like that

----------

## NeddySeagoon

ryszardzonk,

It looks like you are running a public nameserver.

```
$ grep 53 /etc/services

domain      53/tcp            # Domain Name Server

domain      53/udp
```

There is no need to hide 192.168.10.xxx as 192.168.0.0/16 is designated for private use and not routable over the internet. 

Addresses in the 192.168.0.0/16 will be dropped by your ISP and if you send them a lot of packets with that IP in them, they may ask you to sort it out.

----------

## ryszardzonk

 *Quote:*   

> here is no need to hide 192.168.10.xxx as 192.168.0.0/16 is designated for private use and not routable over the internet.

  I know that  :Wink:  Just the habit

The thing is am not running public name server. At least not through BIND. 

/etc/bind/named.conf

acl "trusted" {

        192.168.10.0/24;

        127.0.0.0/8;

        ::1/128;

};

        listen-on-v6 { ::1; };

        listen-on { 127.0.0.1; 192.168.10.1/24; };

        forwarders {

                62.133.xxx.xxx;          // local ISP

                62.133.xxx.xxx;          // local ISP

};

Maybe TOR is doing it but I am not sure how that could that be as I am forbidding any other traffic than

/etc/tor/torrc

ExitPolicy accept *:80

ExitPolicy accept *:8074

ExitPolicy accept *:6666-6667,reject *:*

ExitPolicy reject *:*

EDIT

```
12:16:39 OUT: 192.168.102.xxx:22020  192.112.36.4:53 
```

That peer guardian log means traffic like that tries to out from my machine to the Internet, but has been stopped by peerguardian. It would go out otherwise as 192.168.102.xxx is just representation of my external network card through which traffic is forwarded to ISP router on my end.

----------

