Security Incidents mailing list archives
RE: DNS help
From: Faron.Golden () Gunter AF mil
Date: Thu, 12 Dec 2002 15:58:41 -0600
from the man pages of tcpdump: src > dst: id op? flags qtype qclass name (len) with the narrative explaining that: If a query contains an answer, nameserver, or authorative section, ancount, nscount, or arcount are printed as [na], [nn], or [nau], where 'n' is the appropriate count. Applying that to the 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
[1au][|domain] (DF) data,
you have a source > destination: id of 56162 1 authority section domaintype with a Don't Frag flag. Again, if the SHADOW sensor is functioning properly, you should be able to apply tcpdump to the raw data and read the HEX output to see exactly what was in the packet. -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Thursday, December 12, 2002 1:54 PM To: 'Valdis.Kletnieks () vt edu'; larosa, vjay Cc: incidents () securityfocus com Subject: RE: DNS help That is exactly what I am trying to figure out. What is the meaning of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server makes a request a number is tagged to it, that way when the reply comes back it can match it up with the request. I just don't know what the meaning of 1au is. vjl -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Thursday, December 12, 2002 12:18 PM To: larosa, vjay Cc: incidents () securityfocus com Subject: Re: DNS help On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay () emc com> said:
Hello, These packets were caught using a shadow IDS sensor. I was hoping that somebody in the list could help me understand what is happening below. I am
familiar
with snort and tcpdump, as well as the concept of packet fragmentation. I am mostly interested in finding out about the DNS requests being made, and why they are coming
back
fragmented.
Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way. Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more.
12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 [1au][|domain] (DF)
12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: 56162[|domain] (frag 48818:1480@0+)
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DNS help larosa, vjay (Dec 11)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- <Possible follow-ups>
- RE: DNS help larosa, vjay (Dec 12)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- Re: DNS help Matt Zimmerman (Dec 16)
- RE: DNS help Tom Arseneault (Dec 12)
- RE: DNS help Faron . Golden (Dec 12)