Security Incidents mailing list archives
Re: DNS zone transfer
From: Fernando Cardoso <fernando () BN PT>
Date: Mon, 4 Sep 2000 10:35:09 +0100
[...]
Actually, looking at your packet dump, it is not a zone transfer. It is a query for MX of bn.pt. You can read about the structure of DNS packets in RFC 1035 (ftp://ftp.is.co.za/rfc/rfc1035.txt).
Bingo. You're right. Looking again the RFC and the dump was easy to find it out. It's always easy when you know where to look :-) Thanks.
I recently posted to the Snort-users mailing list about possible improvements to the arachNIDS signature for zone transfers. In short look for 0xFC past byte 13. See http://www.geocrawler.com/archives/3/4890/2000/8/0/4258922/ for my post.
Yes. I think that would end with these false positives. Cheers __________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
Current thread:
- DNS zone transfer Fernando Cardoso (Sep 01)
- Re: DNS zone transfer James Hoagland (Sep 02)
- Re: DNS zone transfer H D Moore (Sep 03)
- <Possible follow-ups>
- Re: DNS zone transfer Fernando Cardoso (Sep 04)
- Re: DNS zone transfer Fernando Cardoso (Sep 04)