Snort mailing list archives
DNS 53 <-> 53 ?
From: "Jens Hassler" <j.hassler () gmx net>
Date: Tue, 17 Jul 2001 09:23:06 +0200
Hi there, I'm getting rather strange domain requests from three hosts on the Internet. These are from port 53 TO port 53. I think there's no valid reason for any software to set source port == dest port? Or is there any? The requests are for domains like "strip-cam-world.de" or "kostenlos-strip.de". These domains can't be resolved, so it seems these hosts (one of them is a DNS from a big German ISP) are somewhat configured to forward requests to our firewall?! But why is src port = dst port? Is this some kind of an attack to bypass firewall rules? (This won't work with us, cause I only opened port 53 for our valid DNS servers). Here's the tcpdump output invoked with: tcpdump -n -e -vv -i eth0 src port 53 and dst port 53 ====================================================== 23:59:45.055655 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain > 212.185.42.146.domain: 15495 CNAME? www.strip-cam -world.de. (40) (ttl 49, id 59676) 23:59:47.051786 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain > 212.185.42.146.domain: 20303 CNAME? www.strip-cam -world.de. (40) (ttl 49, id 62934) 23:59:49.025672 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain > 212.185.42.146.domain: 4666 A? www.strip-cam-worl d.de. (40) (ttl 49, id 469) 23:59:51.032388 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain > 212.185.42.146.domain: 63434 A? www.strip-cam-wor ld.de. (40) (ttl 49, id 4771) 00:33:12.708337 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain > 212.185.42.146.domain: 31023 notify [b2&3=0x2400] SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56023) 00:33:18.560967 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain > 212.185.42.146.domain: 31023 notify [b2&3=0x2400] SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56024) 01:03:25.135238 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 71: 194.25.0.125.domain > 212.185.42.146.domain: 60088 SOA? matti-ag.de. (29) (DF) (ttl 246, id 59792) 01:57:48.839694 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 194.25.0.125.domain > 212.185.42.146.domain: 49499 SOA? kostenlos-strip.d e. (36) (DF) (ttl 246, id 35961) ====================================================== 212.185.42.146 is our firewall machine. I get CNAME, A and SOA (notify) requests. BTW: What are SOA requests? Didn't hear of them before... What means the hardware address 0:0:0:0:0:1? Is this some kind of broadcast or multicast? I'm rather sure it's not broadcast, but I don't know about multicast. Thanks for any help in this issue. Jens _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RES: DNS 53 <-> 53 ? Marcus Rocha (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Blake Frantz (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- <Possible follow-ups>
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Graeme Fowler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
(Thread continues...)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)