Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: strange traffic on UDP port 53

From: "Greg A. Woods" <woods () weird com>
Date: Mon, 9 Jun 2003 15:11:53 -0400 (EDT)
[ On Monday, June 9, 2003 at 11:38:08 (-0700), David Gillett wrote: ]

Subject: RE: strange traffic on UDP port 53


-----Original Message-----
From: Greg A. Woods [mailto:woods () weird com]

[ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ]

Subject: RE: strange traffic on UDP port 53

  Replies to DNS queries should be coming FROM port 53,


True, though unfortunately it's not always the case.


  ... but your further paragraph argues that it is hardly unfortunate at
all, since it's *practically always* the case.


Indeed -- I was confusing "replies to DNS queries" with "DNS queries".   :-)
(because usually I avoid the confusion by calling then "DNS replies")

DNS queries should have a source port of 53, but often don't.

DNS queries MUST have a destination port of 53.

DNS replies simply swap the source and destination (addresses and port
numbers together) and out they go.


  If a UDP packet is FROM and ephemeral port TO port 53, it's almost
certainly a DNS *request*, and not a *reply*.  And that's the pattern
reported in this case.


Indeed it is!

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: