Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS 53 <-> 53 ?

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Tue, 17 Jul 2001 08:27:32 -0400
On Tue, Jul 17, 2001 at 09:23:06AM +0200, Jens Hassler wrote:


Hi there,


I'm getting rather strange domain requests from three hosts on the Internet.
These are from port 53 TO port 53.

I think there's no valid reason for any software to set source port == dest
port? Or is there any?


The communication between the name servers *might* use 53 as src and is
definitely 53 for dst. The question here is why they are forwarding
stuff to your firewall.

It reminds me of spoofing though. With older bind this was a way to
corrupt the caching servers. Are these requests or replies?

Ramin



The requests are for domains like "strip-cam-world.de" or
"kostenlos-strip.de". These domains can't be resolved, so it seems these
hosts (one of them is a DNS from a big German ISP) are somewhat configured
to forward requests to our firewall?! But why is src port = dst port? Is
this some kind of an attack to bypass firewall rules? (This won't work with
us, cause I only opened port 53 for our valid DNS servers).


Here's the tcpdump output invoked with:

tcpdump -n -e -vv -i eth0 src port 53 and dst port 53


======================================================
23:59:45.055655 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain >
212.185.42.146.domain: 15495 CNAME? www.strip-cam
-world.de. (40) (ttl 49, id 59676)
23:59:47.051786 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain >
212.185.42.146.domain: 20303 CNAME? www.strip-cam
-world.de. (40) (ttl 49, id 62934)
23:59:49.025672 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain >
212.185.42.146.domain: 4666 A? www.strip-cam-worl
d.de. (40) (ttl 49, id 469)
23:59:51.032388 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain >
212.185.42.146.domain: 63434 A? www.strip-cam-wor
ld.de. (40) (ttl 49, id 4771)
00:33:12.708337 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain >
212.185.42.146.domain: 31023 notify [b2&3=0x2400]
 SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56023)
00:33:18.560967 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain >
212.185.42.146.domain: 31023 notify [b2&3=0x2400]
 SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56024)
01:03:25.135238 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 71: 194.25.0.125.domain >
212.185.42.146.domain: 60088 SOA? matti-ag.de. (29)
 (DF) (ttl 246, id 59792)
01:57:48.839694 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 194.25.0.125.domain >
212.185.42.146.domain: 49499 SOA? kostenlos-strip.d
e. (36) (DF) (ttl 246, id 35961)
======================================================

212.185.42.146 is our firewall machine. I get CNAME, A and SOA (notify)
requests. BTW: What are SOA requests? Didn't hear of them before...

What means the hardware address 0:0:0:0:0:1? Is this some kind of broadcast
or multicast? I'm rather sure it's not broadcast, but I don't know about
multicast.


Thanks for any help in this issue.
Jens



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: