Full Disclosure mailing list archives
Re: Strange TCP/IP DNS traffic
From: Nils Ketelsen <nils () druecke strg-alt-entf org>
Date: Thu, 3 Jun 2004 11:29:25 -0400
On Thu, Jun 03, 2004 at 05:35:22PM +0300, Shachar Shemesh wrote:
The outbound traffic is not generated by the local bind installation, which was asked to bind to port 53 for outbound traffic. Also, /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I understand such traffic should not be initiated by user programs. Anyone has any idea what that may be?
Easiest guess: Some user doing an host or nslookup or something, by hand choosing to send it to the nameserver the packets are targeted to. Something like "host -t ns microsoft.com H.GTLD-SERVERS.NET" Or some stupid application not using the gethostbyname systemcall but rather implementing it itself. There are some people out there believing they can do it better than the system call. Most of them screwed it up. Nils -- Nils Ketelsen // Mississauga, Canada 43° 35' 13"N, 79° 38' 23"W mailto:`#!/bin/sh`@druecke.strg-alt.entf.org http://druecke.strg-alt-entf.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Strange TCP/IP DNS traffic Shachar Shemesh (Jun 03)
- Re: Strange TCP/IP DNS traffic Nils Ketelsen (Jun 03)
- Re: Strange TCP/IP DNS traffic Nicolas Rachinsky (Jun 03)
- RE: Strange TCP/IP DNS traffic Matthew Ploessel (Jun 03)
- Re: Strange TCP/IP DNS traffic Skip Duckwall (Jun 03)
- <Possible follow-ups>
- Strange TCP/IP DNS traffic full-disclosure (Jun 03)