Security Basics mailing list archives

RE: TCP DNS requests

From: "Paris E. Stone" <paris () archerva com>
Date: Thu, 31 Oct 2002 13:36:48 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Question to ask, do you have a windows 2000 domain controller on your
network?  If so, it could be the culprit.  Windows 2000 domain
controllers require DNS to function and if you set it up to read DNS
from your DNS server, it is probably hammering your DNS server.

- -----Original Message-----
From: Raghu Chinthoju [mailto:chraghu () hyd wilco-int com]
Sent: Wednesday, October 30, 2002 2:43 PM
To: 'Carl R Diliberto'; 'security-basics'
Subject: RE: TCP DNS requests


TCP/DNS(53) is used for zone transfer. To be simple, TCP/DNS(53) is
used
between the name servers to exchange/update there name databases
where as
UDP/DNS(53) is used for querying. 

I see two possibilities for having generated TCP based DNS requests
in your
network.
1. You must have another DNS server in that network trying to do zone
transfer with your server
2. Some one is explicitly requesting your name server for zone
information.
This could be done by in many ways. For example, "ls" command of
nslookup
does it.

Cheers,
Raghu.

Wilco International Systems
Hyderabad.


- -----Original Message-----
From: Carl R Diliberto [mailto:cdiliberto () hotmail com] 
Sent: Wednesday, October 30, 2002 7:16 PM
To: security-basics
Subject: TCP DNS requests

We are reporting TCP based DNS requests to one of our DNS servers
coming
from internal, client IP addresses.  My manager would like to block
the TCP
packets.  What or why would their be random TCP packets?  We
monitored
several clients and it appears it only needs UDP.

Thanks
Carl


This message is confidential and may also be legally privileged. If
you are not the intended recipient, please notify
postmaster () wilco-int com immediately. You should not copy it or use
it for any purpose, nor disclose its contents to any other person.
The views and opinions expressed in this e-mail message are the
author's own and may not reflect the views and opinions of Wilco.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: http://www.parisstone.com/

iQA/AwUBPcF4QP2j5dDsq7N3EQJv5ACeOOv1LssNUmlrcs0qyxNAD02uiQ0An3c9
c4AUUCrfQFDmzHAnCsI0YYgZ
=NHEl
-----END PGP SIGNATURE-----

Current thread:

RE: TCP DNS requests Paris E. Stone (Oct 31)
- <Possible follow-ups>
- RE: TCP DNS requests Willis, Mark (Nov 01)
- RE: TCP DNS requests Douglas K. Fischer (Nov 01)
- RE: TCP DNS requests Leonard.Ong (Nov 01)
- RE: TCP DNS requests Wolf, Glenn (Nov 01)
- RE: TCP DNS requests Royans Tharakan (Nov 01)