Re: DNS help

[Valdis.Kletnieks () vt edu]

On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay () emc com>  said:
> Hello,
>
> These packets were caught using a shadow IDS sensor. I was hoping that
> somebody
> in the list could help me understand what is happening below. I am familiar
> with snort
> and tcpdump, as well as the concept of packet fragmentation. I am mostly
> interested in
> finding out about the DNS requests being made, and why they are coming back
> fragmented.

Given that they fragged at 1480, I'd suspect you're going through a VPN
at some point.  You're going to their nameserver to look something up
and the replies are gettng fragged on the way.

Is your DNS server a secondary for a zone hosted at outside.guy.com?  This
looks like it might be AXFR traffic.  It's hard to tell without knowing what
IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant
I could tell you more.

> 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain:  56162
> [1au][|domain] (DF)

> 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
> 56162[|domain] (frag 48818:1480@0+)


-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: