On Fri, 06 Jun 2003 08:39:52 BST, Mike <mikeat_private> said: > belonged to our ISP. On querying them about this odd behavior the > explanation given (and other evidence seems to bear this out) was that > our mail server was performing DNS lookups for the delivery of mail and > on behalf of our internal network as it was configured as a forwarder > because it was behind a firewall. The IP address in question was merely > replying to DNS queries which had been forwarded to it by our ISPs' The scenario there would have your site sending packets with an ephemeral port number to the DNS server's port 53, and the return packets stopped at the firewall would have a *source* port 53 and an ephemeral destination. In the OP's case, the *destination* port was 53, which indicates that somebody thinks that the mail server target is also providing DNS service.
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 09:07:48 PDT