Re: DNS 53 <-> 53 ?

[Blake Frantz <blake () mc net>]

I don't know *why* you are recieving this traffic...purhaps a botched DNS
record or something...

> I think there's no valid reason for any software to set source port == dest
> port? Or is there any?

DNS will operate via 53 => 53 (udp) when:

your local server query's  a remote server
the remote server responds to your local servers query

a remote client query to your local server
your local server responds to that client

More recent versions of BIND don't query from port 53 anymore, but they
give the option if its needed.  Look at the top of your /etc/named.conf:


options {
        directory "/var/named";
        // query-source address * port 53;
};


> 212.185.42.146 is our firewall machine. I get CNAME, A and SOA (notify)
> requests. BTW: What are SOA requests? Didn't hear of them before...

SOA = Start of Authority 

The SOA record indicated that the mentioned DNS server is the best place
to get information for data within its DNS domain.  It can contain
information such as contact info, refresh times, expire times, minimum
TTL, etc..

> What means the hardware address 0:0:0:0:0:1? Is this some kind of broadcast
> or multicast? I'm rather sure it's not broadcast, but I don't know about
> multicast.

It's probably a spoof...

Hope this helps.

-Blake


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users