Security Incidents mailing list archives
Re: DNS zone transfer
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sat, 2 Sep 2000 13:53:19 -0500
Fernando Cardoso wrote:
My IDS logged the try: [**] IDS212/dns-zone-transfer [**] 08/31-17:19:10.789779 165.154.200.193:21368 -> my.name.server:53 TCP TTL:109 TOS:0x0 ID:44578 DF *****PA* Seq: 0xB4A43A Ack: 0xE367A43 Win: 0x2000 00 17 86 39 01 00 00 01 00 00 00 00 00 00 02 62 ...9...........b 6E 02 70 74 00 00 0F 00 01 n.pt..... Nothing new here... What is strange is that nothing was logged in the nameserver!! I've tried zone transfers with dig, nslookup, host and even with Sam Spade and all of them left a log entry in the nameserver (bind 8.2.2-P5).
The snort filter for zone transfers picks up _any_ connections to TCP port 53. Whether or not they actually treid to transfer a zone after making that connection determines what is logged. -HD odin:~ # binfo-udp www.digitaloffense.net www.digitaloffense.net's named that errors on iquery is version: SkriptKiddieKiller/1.0
Current thread:
- DNS zone transfer Fernando Cardoso (Sep 01)
- Re: DNS zone transfer James Hoagland (Sep 02)
- Re: DNS zone transfer H D Moore (Sep 03)
- <Possible follow-ups>
- Re: DNS zone transfer Fernando Cardoso (Sep 04)
- Re: DNS zone transfer Fernando Cardoso (Sep 04)