Large amount of UDP packets on Network

**X-MaaN** · 03-08-2011

Each day I receive about 12 e-mails from my firewall at work, full of logs. There are plenty of denied packets / will fall LAN -> WAN. I have run Nmap and Wireshark and am incapable to shape out what the procedure is generating the packets. A UDP-bap netstat reveals a set of open connections on substandard (e.g. port 40000) ports that are linked to [Dns.exe]. I have no idea what DNS is the process of trying to do, or are related to this at all. There are about 150 packages of this kind that hit the firewall over 10 minutes. I wonder what is causing it and stop service.

**Amie** · 03-08-2011

The developing countries run their implementation DNS for name resolution and they are trying to talk to the estate or any freight (not used) you may have setup. Actually, it all depends on how to configure DNS servers, but could very well be normal. The port 53 is indeed DNS for both TCP and UDP, which will try UDP first and then move on to TCP if unsuccessful. So the packets are actually intended for the WAN side and not my gateway, right, as it seeks a higher order

**BiGMaCHiNe** · 03-08-2011

A UDP-bap netstat reveals a lot of open connections on non-standard (eg, port 40000) ports that are linked to [Dns.exe]. I have no idea what DNS is the process of trying to do, or are related to this at all. There are about 150 packages of this kind that hit the firewall over 10 minutes. I wonder what is causing it and stop service. There is no possibility of viruses or malicious applications attempting to call any house. I am not able to provide the Wireshark packet capture.

**Connect_Me** · 03-08-2011

Well, this particular network, we are using both forwarders and root hints, because there is no risk of being poisoned. However, for a public facing, can absolutely understand what you are saying. So there are no entries in the DNS event log, just a lot of firewall logs packets that are falling. DNS seems to work for both WAN / LAN communication side, though, could be via TCP and the extra work involved.

**Wguy2008** · 03-08-2011

The AD servers are configured to go to it and the secondary AD server for all DNS requests. Carriers and the root hints are, of course, all the WAN side. That's why I'm confused. All this traffic is to beat my gateway firewall, but I do not know what will be the gateway in the first place for name resolution. If my firewall ACL is configured:

Domain Controllers, DNS -> Gateway = Allow
or
Domain Controllers, DNS -> WAN = Allow
or
Domain Controllers, DNS -> * = Allow
The reverse (*DNS -> Domain Controllers = Allow), but my existing rules are set to option A.

**HiSpeed** · 03-08-2011

If I understand correctly, you have warning UDP LAN -> firewall messages of confidence? If that means that somewhere for some reason, something is configured to ask the DNS gateway (firewall: trust is often the gateway, at least for the segment is inches) unless you is using something like OpenDNS filtering, you really should not have freight (except for some very strict reasons, such as the resolution of internal non-public domain name).

**teenQ** · 03-08-2011

I customized the Access Regulation and zero worked. But since I do not use DHCP to push DNS to my clients, I figured I could have two domain controllers in the network settings on the firewall. When I did this, all traffic stopped, but the firewall is unable to resolve the names of log files and cannot determine the name of the mail server to send reports to me. Unfortunately, it still reports that it is dropping UDP packets from the domain controllers for the Firewall / Gateway.