Security Incidents mailing list archives

RE: DNS help

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 12 Dec 2002 14:54:29 -0500

That is exactly what I am trying to figure out. What is the meaning
of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server
makes a request a number is tagged to it, that way when the reply comes
back it can match it up with the request. I just don't know what the meaning
of 1au is.

vjl

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Thursday, December 12, 2002 12:18 PM
To: larosa, vjay
Cc: incidents () securityfocus com
Subject: Re: DNS help 


On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay () emc com>
said:

Hello,

These packets were caught using a shadow IDS sensor. I was hoping that
somebody
in the list could help me understand what is happening below. I am

familiar

with snort
and tcpdump, as well as the concept of packet fragmentation. I am mostly
interested in
finding out about the DNS requests being made, and why they are coming

back

fragmented.


Given that they fragged at 1480, I'd suspect you're going through a VPN
at some point.  You're going to their nameserver to look something up
and the replies are gettng fragged on the way.

Is your DNS server a secondary for a zone hosted at outside.guy.com?  This
looks like it might be AXFR traffic.  It's hard to tell without knowing what
IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant
I could tell you more.

12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain:  56162
[1au][|domain] (DF)

12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
56162[|domain] (frag 48818:1480@0+)



-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DNS help larosa, vjay (Dec 11)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- <Possible follow-ups>
- RE: DNS help larosa, vjay (Dec 12)
  - Re: DNS help Valdis . Kletnieks (Dec 12)
  - Re: DNS help Matt Zimmerman (Dec 16)
- RE: DNS help Tom Arseneault (Dec 12)
- RE: DNS help Faron . Golden (Dec 12)