Re: Broadcasts...started after admin removed reverse DNS

aaguirre · ‎09-01-2005

Need advice on how to go about the following; Our admin removed reverse DNS lookup, and since, we are getting thousands of broadcast messages hitting the pix. My default gateway it's a cat6509, and it's default gateway is the PIX. The syslogs are ridiculous since, and I just end up dropping most. Here's a sample.

S18:37:02 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.3.35/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:02 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.0.39/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:03 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.0.72/138 to inside:172.16.255.255/138

Sep 01 2005 18:37:03 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.3.35/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:03 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.0.39/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:03 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.4.81/39501 to inside:172.16.255.255/5353

Sep 01 2005 18:37:04 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.3.35/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:04 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.0.39/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:05 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.3.35/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:05 PIX02 : %PIX-3-710003: UDP access denied by ACL from 172.16.0.39/137 to inside:172.16.255.255/137

Sep 01 2005 18:37:05 PIX02 : %PIX-4-106023: Deny icmp src outside:157.130.233.173 dst inside:207.251.242.129 (type 3, code 1) by access-group "outside_access_in"

Richard Burts · ‎09-02-2005

Notice that almost all of these messages are broadcast messages to NetBIOS ports (mostly 137 and a 138). I think it is pretty clear now that the stations can not resolve via reverse DNS they are trying to resolve via NetBIOS.

It looks to me like the simple solution is to restore reverse DNS. Why did the admin remove it?

HTH

Rick

HTH

Rick

aaguirre · ‎09-03-2005

Because he enabled DHCP and said that it wasn't necessary with it...then we went back to static addressing, and that's when these started happening. A couple of weeks ago, he told me he re-enabled it, but the broadcasts are still happening.

mostiguy · ‎09-06-2005

windows will always send a directed name query to there is no rdns record available for the host. windows is also prone to broadcasting if it thinks the host is local.

if you are using active directory, you have better have working forward and reverse dns

aaguirre · ‎09-15-2005

i did an nslookup, and it came back fine. However, I was just told that a every day a couple of machines aren't getting a DHCP address. Apparently 95% of the time they do, and a few random ones seem to have issues, but never the same machine. could this be related also? The PIX isn't my default gateway for the network, the 6509 is currently the default gateway for all my workstations and servers. Then it uses the PIX as it's gateway.