Security Incidents mailing list archives
Re: DNS zone transfer
From: James Hoagland <hoagland () SILICONDEFENSE COM>
Date: Fri, 1 Sep 2000 15:45:28 -0700
At 3:18 PM +0100 9/1/00, Fernando Cardoso wrote:
I guess you are used to see (as I am) lots of AXFRs from all places. Usually they came along with bind.version queries since the named NXT bug scripts are still hot 3lee7 stuff. They don't cause any problem except for a couple lines in my logs and, sometimes, a message to the tech contact of a compromised machine (hello .kr!!). Yesterday, another AXFR try was made. This time from Canada: ts1-193.mtrl.ca.ziplink.net My IDS logged the try: [**] IDS212/dns-zone-transfer [**] 08/31-17:19:10.789779 165.154.200.193:21368 -> my.name.server:53 TCP TTL:109 TOS:0x0 ID:44578 DF *****PA* Seq: 0xB4A43A Ack: 0xE367A43 Win: 0x2000 00 17 86 39 01 00 00 01 00 00 00 00 00 00 02 62 ...9...........b 6E 02 70 74 00 00 0F 00 01 n.pt..... Nothing new here... What is strange is that nothing was logged in the nameserver!! I've tried zone transfers with dig, nslookup, host and even with Sam Spade and all of them left a log entry in the nameserver (bind 8.2.2-P5).
Actually, looking at your packet dump, it is not a zone transfer. It is a query for MX of bn.pt. You can read about the structure of DNS packets in RFC 1035 (ftp://ftp.is.co.za/rfc/rfc1035.txt). I recently posted to the Snort-users mailing list about possible improvements to the arachNIDS signature for zone transfers. In short look for 0xFC past byte 13. See http://www.geocrawler.com/archives/3/4890/2000/8/0/4258922/ for my post. Kind regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* hoagland () SiliconDefense com *| |* Voice: (707) 445-4355 x13 Fax: (707) 826-7571 *|
Current thread:
- DNS zone transfer Fernando Cardoso (Sep 01)
- Re: DNS zone transfer James Hoagland (Sep 02)
- Re: DNS zone transfer H D Moore (Sep 03)
- <Possible follow-ups>
- Re: DNS zone transfer Fernando Cardoso (Sep 04)
- Re: DNS zone transfer Fernando Cardoso (Sep 04)