Full Disclosure mailing list archives
Re: FW: Question for DNS pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 25 Jul 2004 13:57:53 -0500
--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten <vanpattens () knology net> wrote:
It seems to me you could do this without setting up a dns server. Just tcpdump the traffic or sniff or snoop the traffic. It you set it up with a snaplength of 1500 you'll get enough of the packet to see exactly what dns query is being asked...something like tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
And--On Sunday, July 25, 2004 11:41 AM +0200 Paul Rolland <rol () witbe net> wrote:
Update your tcpdump or verify the syntax. I just tried : tcpdump -v -s 1500 -n udp port 53 on our NS server, and it shows the complete details of the request. 09:38:50.669060 eth0 < 67.166.39-62.rev.gaoland.net.3746 > sim-01.PAR.witbe.net.domain: 34277+ PTR? 250.92.168.192.in-addr.arpa. (45) (DF) (ttl 61, id 145)
For the last time, I have *already* done this. With both a snaplen of 1024 and a snaplen of 4096. It *hasn't* produced anything useful unless someone thinks *this* is useful (I'm using tcpdump on FreeBSD 4.9 RELEASE.):
tcpdump -c 100 -xX -s 4069 -i xl0 -p -w x.x.dump 'udp && host x.x.x.x && port 53' (Our IP has been changed to x.x.x.x)
I've altered the real hostname on our network to "targethost" and altered the querying IP to x.x.x.x for privacy reasons. All these queries are *from* the same host. This pattern is *typical* of what I'm seeing from a *number of diverse hosts* from all over the world.
22:06:10.294071 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29462 NS? . (17) 22:06:11.043050 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29463 NS? . (17) 22:06:11.791218 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29464 NS? . (17) 22:06:13.298805 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30290 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.052600 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30291 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.799270 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30292 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:15.775488 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30818 NS? . (17) 22:06:16.526565 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30819 NS? . (17) 22:06:17.277716 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30820 NS? . (17) 22:06:18.776723 x.x.x.x.2566 > targethost.utdallas.edu.domain: 31424 PTR? 63.37.110.129.in-addr.arpa. (44)
Comparing "real" queries to a functioning nameserver to what I'm trying to figure out is apples to oranges. If these *were* real queries, I wouldn't even have posted this here. I would have already figured it out.
It really would help if folks would *read* the list before replying. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Question for DNS pros, (continued)
- Re: Question for DNS pros Steve (Jul 25)
- Re: Question for DNS pros Cyril Guibourg (Jul 23)
- Re: Question for DNS pros Nick FitzGerald (Jul 24)
- Re: Question for DNS pros Dave Yingling (Jul 25)
- Re: Question for DNS pros Steffen Schumacher (Jul 25)
- Re: Question for DNS pros Roberto Navarro (Jul 23)
- Re: Question for DNS pros Nils Ketelsen (Jul 25)
- FW: Question for DNS pros Suzi and Harold VanPatten (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 24)
- Re: FW: Question for DNS pros Paul Rolland (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 25)
- Re: FW: Question for DNS pros Frank Knobbe (Jul 25)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 25)
- Re: FW: Question for DNS pros Paul Rolland (Jul 26)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 26)
- Re: FW: Question for DNS pros Paul Rolland (Jul 27)
- Re: FW: Question for DNS pros Paul Schmehl (Jul 24)