I setup two RedHat Linux 9 DNS Servers with their default BIND 9.2.1-16. One is the master 64.234.123.2 and the other is the slave 64.234.123.3 (these are not the actual addresses). Everything works well except that my Microsoft ISA 2000 Firewall returns the warning below under Even Viewer, Application:

Event ID 15105

ISA Server detected an all port scan attack from Internet Protocol (IP) address 64.234.123.2. For more information about this event, see ISA Server Help.

The Linux DNS servers are stand-alone with no firewalling and they are not behind the ISA firewall. My ISA firewall is 64.234.123.4. These warning happen about every one to two hours. Why? Does BIND actually perform a port scan before zone transfers? Is this part of it's mechanism; port scans? Has anybody else experienced this? Please let me know.

Probably the ISA server is doing some kind of DNS lookups from your servers, and since the ISA server is making the request from a different high port (over 1023) every time, it gets responses back to many different ports. If, for example, you had a bunch of new connections open nearly simultaneously and the ISA server did reverse DNS lookup on all of them, then it would *appear* that your DNS server was making a "port scan" of a bunch of high ports on the ISA server (really just responding to requests).

That's the only thing I can think of. If that's the cause, then ISA server is even worse than I thought.

Might want to fire up tcpdump/ethereal on the Bind machine and see if you can figure out what the traffic is that illicits such a weird log message.

chort,

I think you detected my problem precisely. I looked at the resolv entries for the outside NIC on my ISA firewall and it points to the two DNS server addresses that the port scan warnings are complaining about.

I replaced two servers about weeks ago from Windows DNS to Linux BIND and then started getting these warnings in ISA.

What do you suggest I do?

Are there any entries I can make in ISA to ignore these port scans coming exclusively from these two addresses?

Should I just ignore these warnings?

Your professional advise is very appreciated. I admire that you are CISSP certified.

Thanks,

Ram

Well probably the most complete solution would be to disable reverse DNS lookups on the ISA server. They are just waste time. If you really need to get the domain name associated with an IP, you can do it off-line (i.e. with a lookup tool not on the ISA server). That would eliminate the portscan issue, and probably boost the performance on your ISA server a little.

Other than that, you would have to find a way to exempt the DNS servers from ISAs port scan warnings, but you're on your own there. I've seen exactly one ISA server implementation and it looked every bit as scary as I had imagined.

By the way, your admiration is noted, but don't get carried away. It just means I took the time to be tested on things that a lot of other people know (but don't care to spend the time to certify).