Re: DNS 53 <-> 53 ?

[Ramin Alidousti <ramin () cannon eng us uu net>]

On Tue, Jul 17, 2001 at 11:12:58PM +1000, John Berkers wrote:

> This looks like a DNS Server is using a forwarder.  When a DNS Server cannot
> resolve a name from its own zone files or cache, and has a forwarder

It seems bizar to me that a big ISP forwards the queries to him (apparently
a customer). That's why spoofing could be an option.

> configured, it passes the query to the forward lookup server.  Communication
> is 53<->53, as you discovered.  This is quite normal behaviour (if both
> servers are DNS servers).  If there are no forwarders configured it will
> start probing root servers (a.root-servers.net, b.root-servers.net etc),
> with similar port information.
>
> There are a whole bunch of details in a DNZ zone.  The SOA record is the
> Start Of Authority.  It is supposed to identify the primary server for the
> domain, the administrative email address, default expiry, time to live,
> refresh etc.  I guess you know A's are Address records, CNAMEs are Canonical
> Names (aliases), AAAAs are IPv6 addresses, MX are Mail eXchangers, NS are
> Name Servers.
>
> As for why an ISP's DNS server is doing forward lookups off your firewall?
> Beats me.  The address was not used for a DNS server in the past was it?
>
> My $A0.02 (which is equivalent to about $US0.01 :)

Your explanation above is worth much more than $US0.01. Another 4 emails
and the rates will be 1:1 :-)

Ramin

>

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users