Full Disclosure mailing list archives
Re: Strange TCP/IP DNS traffic
From: Skip Duckwall <skip () duckwall net>
Date: Thu, 3 Jun 2004 13:22:37 -0500 (CDT)
On Thu, 3 Jun 2004, Shachar Shemesh wrote:
Hi all, A few days ago I started seeing outbound TCP connection on port 53, aimed at the .com NS servers. These were blocked by the firewall. I realize that this does not violate any RFC, but it's still unusual.
TCP is used for DNS when the size of the UDP response exceeds 512 bytes. When this happens, the UDP response sets a truncated flag which tells the resolver to connect via TCP to get the whole thing. The only time I've seen this behavior in the last few years has been when sending mail to large ISP/businesses when the results of a MX record query exceed 512 bytes. So blocking it outbound might result in E-mail not going through.
The outbound traffic is not generated by the local bind installation, which was asked to bind to port 53 for outbound traffic. Also, /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I understand such traffic should not be initiated by user programs.
This just tells the machine that it should use localhost for name resolution. Unless you have the world's biggest /etc/hosts file, you are probably running some sort of name server (bind/named for example) Alva Lease 'Skip' Duckwall IV skip at duckwall dot net CISSP, RHCE, SCSA _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Strange TCP/IP DNS traffic Shachar Shemesh (Jun 03)
- Re: Strange TCP/IP DNS traffic Nils Ketelsen (Jun 03)
- Re: Strange TCP/IP DNS traffic Nicolas Rachinsky (Jun 03)
- RE: Strange TCP/IP DNS traffic Matthew Ploessel (Jun 03)
- Re: Strange TCP/IP DNS traffic Skip Duckwall (Jun 03)
- <Possible follow-ups>
- Strange TCP/IP DNS traffic full-disclosure (Jun 03)