Security Incidents mailing list archives
Re: DNS help
From: Valdis.Kletnieks () vt edu
Date: Thu, 12 Dec 2002 12:17:35 -0500
On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay () emc com> said:
Hello, These packets were caught using a shadow IDS sensor. I was hoping that somebody in the list could help me understand what is happening below. I am familiar with snort and tcpdump, as well as the concept of packet fragmentation. I am mostly interested in finding out about the DNS requests being made, and why they are coming back fragmented.
Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way. Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more.
12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162 [1au][|domain] (DF)
12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795: 56162[|domain] (frag 48818:1480@0+)
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- DNS help larosa, vjay (Dec 11)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- <Possible follow-ups>
- RE: DNS help larosa, vjay (Dec 12)
- Re: DNS help Valdis . Kletnieks (Dec 12)
- Re: DNS help Matt Zimmerman (Dec 16)
- RE: DNS help Tom Arseneault (Dec 12)
- RE: DNS help Faron . Golden (Dec 12)