Security Incidents mailing list archives
RE: strange traffic on UDP port 53
From: "Greg A. Woods" <woods () weird com>
Date: Mon, 9 Jun 2003 15:11:53 -0400 (EDT)
[ On Monday, June 9, 2003 at 11:38:08 (-0700), David Gillett wrote: ]
Subject: RE: strange traffic on UDP port 53-----Original Message----- From: Greg A. Woods [mailto:woods () weird com] [ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ]Subject: RE: strange traffic on UDP port 53 Replies to DNS queries should be coming FROM port 53,True, though unfortunately it's not always the case.... but your further paragraph argues that it is hardly unfortunate at all, since it's *practically always* the case.
Indeed -- I was confusing "replies to DNS queries" with "DNS queries". :-) (because usually I avoid the confusion by calling then "DNS replies") DNS queries should have a source port of 53, but often don't. DNS queries MUST have a destination port of 53. DNS replies simply swap the source and destination (addresses and port numbers together) and out they go.
If a UDP packet is FROM and ephemeral port TO port 53, it's almost certainly a DNS *request*, and not a *reply*. And that's the pattern reported in this case.
Indeed it is! -- Greg A. Woods +1 416 218-0098; <g.a.woods () ieee org>; <woods () robohack ca> Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com> ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- strange traffic on UDP port 53 Ronald Belchez (Jun 05)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- IRC botnets Dayne Jordan (Jun 09)
- Re: IRC botnets Angelz (Jun 10)
- IRC botnets Dayne Jordan (Jun 09)
- Re: strange traffic on UDP port 53 Rodney Green (Jun 06)
- RE: strange traffic on UDP port 53 Mike (Jun 06)
- Re: strange traffic on UDP port 53 Roger A. Grimes (Jun 09)
- RE: strange traffic on UDP port 53 David Gillett (Jun 09)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- RE: strange traffic on UDP port 53 David Gillett (Jun 10)
- RE: strange traffic on UDP port 53 Greg A. Woods (Jun 10)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 06)
- Re: strange traffic on UDP port 53 Valdis . Kletnieks (Jun 09)
- <Possible follow-ups>
- RE: strange traffic on UDP port 53 Quarantine (Jun 10)
- Re: strange traffic on UDP port 53 Ronald Belchez (Jun 11)
- Re: strange traffic on UDP port 53 Anders Reed Mohn (Jun 12)