Security Incidents mailing list archives

RE: DNS help

From: Faron.Golden () Gunter AF mil
Date: Thu, 12 Dec 2002 15:58:41 -0600

from the man pages of tcpdump:
src > dst: id  op?  flags  qtype qclass name (len)

with the narrative explaining that:
If a query contains an answer, nameserver, or authorative section, ancount,
nscount, or arcount are printed as [na], [nn], or [nau], where 'n' is the
appropriate count.
Applying that to the 12:15:24.020319 DNS.server.com.33795 >
outside.guy.com.domain:  56162

[1au][|domain] (DF) data,

you have a source > destination:  id of 56162   1 authority section
domaintype with a Don't Frag flag.  Again, if the SHADOW sensor is
functioning properly, you should be able to apply tcpdump to the raw data
and read the HEX output to see exactly what was in the packet.

-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay () emc com]
Sent: Thursday, December 12, 2002 1:54 PM
To: 'Valdis.Kletnieks () vt edu'; larosa, vjay
Cc: incidents () securityfocus com
Subject: RE: DNS help 

That is exactly what I am trying to figure out. What is the meaning
of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server
makes a request a number is tagged to it, that way when the reply comes
back it can match it up with the request. I just don't know what the meaning
of 1au is.

vjl

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Thursday, December 12, 2002 12:18 PM
To: larosa, vjay
Cc: incidents () securityfocus com
Subject: Re: DNS help 

On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay () emc com>
said:

Hello,

These packets were caught using a shadow IDS sensor. I was hoping that
somebody
in the list could help me understand what is happening below. I am

familiar

with snort
and tcpdump, as well as the concept of packet fragmentation. I am mostly
interested in
finding out about the DNS requests being made, and why they are coming

back

fragmented.


Given that they fragged at 1480, I'd suspect you're going through a VPN
at some point.  You're going to their nameserver to look something up
and the replies are gettng fragged on the way.

Is your DNS server a secondary for a zone hosted at outside.guy.com?  This
looks like it might be AXFR traffic.  It's hard to tell without knowing what
IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant
I could tell you more.

12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain:  56162
[1au][|domain] (DF)

12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
56162[|domain] (frag 48818:1480@0+)



-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DNS help larosa, vjay (Dec 11)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- <Possible follow-ups>
- RE: DNS help larosa, vjay (Dec 12)
  - Re: DNS help Valdis . Kletnieks (Dec 12)
  - Re: DNS help Matt Zimmerman (Dec 16)
- RE: DNS help Tom Arseneault (Dec 12)
- RE: DNS help Faron . Golden (Dec 12)