Full Disclosure mailing list archives
RE: Strange TCP/IP DNS traffic
From: "Matthew Ploessel" <matthew () ploessel com>
Date: Thu, 3 Jun 2004 09:17:25 -0700
Shachar, UDP port 53 is normally used for general dns traffic, however anytime there is more then 576 bytes of data being transferred the DNS protocol migrates up to TCP. Common reasons for this is for zone transfers or overall large server replies. Most likely your bind server or a user and/or user application is doing some type of resolving which returns a large reply and thus traggering the use of tcp traffic.. I haven't looked up the details of the rfc lately, but tcp is part of the dns protocol, although just like you, many environments block it. If you still want to, setup tcpdump for afew days and see if you get any explaination for whats going on. -Matt -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Shachar Shemesh Sent: Thursday, June 03, 2004 7:35 AM To: full-disclosure () netsys com Subject: [Full-disclosure] Strange TCP/IP DNS traffic Hi all, A few days ago I started seeing outbound TCP connection on port 53, aimed at the .com NS servers. These were blocked by the firewall. I realize that this does not violate any RFC, but it's still unusual. The outbound traffic is not generated by the local bind installation, which was asked to bind to port 53 for outbound traffic. Also, /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I understand such traffic should not be initiated by user programs. Anyone has any idea what that may be? Shachar -- Shachar Shemesh Lingnu Open Source Consulting http://www.lingnu.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Strange TCP/IP DNS traffic Shachar Shemesh (Jun 03)
- Re: Strange TCP/IP DNS traffic Nils Ketelsen (Jun 03)
- Re: Strange TCP/IP DNS traffic Nicolas Rachinsky (Jun 03)
- RE: Strange TCP/IP DNS traffic Matthew Ploessel (Jun 03)
- Re: Strange TCP/IP DNS traffic Skip Duckwall (Jun 03)
- <Possible follow-ups>
- Strange TCP/IP DNS traffic full-disclosure (Jun 03)