Snort mailing list archives
RE: DNS 53 <-> 53 ?
From: "John Berkers" <berjo () ozemail com au>
Date: Tue, 17 Jul 2001 23:12:58 +1000
This looks like a DNS Server is using a forwarder. When a DNS Server cannot resolve a name from its own zone files or cache, and has a forwarder configured, it passes the query to the forward lookup server. Communication is 53<->53, as you discovered. This is quite normal behaviour (if both servers are DNS servers). If there are no forwarders configured it will start probing root servers (a.root-servers.net, b.root-servers.net etc), with similar port information. There are a whole bunch of details in a DNZ zone. The SOA record is the Start Of Authority. It is supposed to identify the primary server for the domain, the administrative email address, default expiry, time to live, refresh etc. I guess you know A's are Address records, CNAMEs are Canonical Names (aliases), AAAAs are IPv6 addresses, MX are Mail eXchangers, NS are Name Servers. As for why an ISP's DNS server is doing forward lookups off your firewall? Beats me. The address was not used for a DNS server in the past was it? My $A0.02 (which is equivalent to about $US0.01 :) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ramin Alidousti Sent: Tuesday, 17 July 2001 22:28 To: Jens Hassler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] DNS 53 <-> 53 ? On Tue, Jul 17, 2001 at 09:23:06AM +0200, Jens Hassler wrote:
Hi there, I'm getting rather strange domain requests from three hosts on the
Internet.
These are from port 53 TO port 53. I think there's no valid reason for any software to set source port ==
dest
port? Or is there any?
The communication between the name servers *might* use 53 as src and is definitely 53 for dst. The question here is why they are forwarding stuff to your firewall. It reminds me of spoofing though. With older bind this was a way to corrupt the caching servers. Are these requests or replies? Ramin
The requests are for domains like "strip-cam-world.de" or "kostenlos-strip.de". These domains can't be resolved, so it seems these hosts (one of them is a DNS from a big German ISP) are somewhat configured to forward requests to our firewall?! But why is src port = dst port? Is this some kind of an attack to bypass firewall rules? (This won't work
with
us, cause I only opened port 53 for our valid DNS servers). Here's the tcpdump output invoked with: tcpdump -n -e -vv -i eth0 src port 53 and dst port 53 ====================================================== 23:59:45.055655 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain 212.185.42.146.domain: 15495 CNAME? www.strip-cam -world.de. (40) (ttl 49, id 59676) 23:59:47.051786 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain 212.185.42.146.domain: 20303 CNAME? www.strip-cam -world.de. (40) (ttl 49, id 62934) 23:59:49.025672 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain 212.185.42.146.domain: 4666 A? www.strip-cam-worl d.de. (40) (ttl 49, id 469) 23:59:51.032388 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 82: 192.132.210.43.domain 212.185.42.146.domain: 63434 A? www.strip-cam-wor ld.de. (40) (ttl 49, id 4771) 00:33:12.708337 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain 212.185.42.146.domain: 31023 notify [b2&3=0x2400] SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56023) 00:33:18.560967 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 129.70.132.100.domain 212.185.42.146.domain: 31023 notify [b2&3=0x2400] SOA? strip-cam-world.de. (36) (DF) (ttl 246, id 56024) 01:03:25.135238 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 71: 194.25.0.125.domain > 212.185.42.146.domain: 60088 SOA? matti-ag.de. (29) (DF) (ttl 246, id 59792) 01:57:48.839694 < 0:b0:c2:8b:bd:3 0:0:0:0:0:1 ip 78: 194.25.0.125.domain > 212.185.42.146.domain: 49499 SOA? kostenlos-strip.d e. (36) (DF) (ttl 246, id 35961) ====================================================== 212.185.42.146 is our firewall machine. I get CNAME, A and SOA (notify) requests. BTW: What are SOA requests? Didn't hear of them before... What means the hardware address 0:0:0:0:0:1? Is this some kind of
broadcast
or multicast? I'm rather sure it's not broadcast, but I don't know about multicast. Thanks for any help in this issue. Jens _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RES: DNS 53 <-> 53 ? Marcus Rocha (Jul 17)
- RE: DNS 53 <-> 53 ? John Berkers (Jul 17)
- Re: DNS 53 <-> 53 ? Blake Frantz (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- <Possible follow-ups>
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- RE: DNS 53 <-> 53 ? Graeme Fowler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)
- RE: DNS 53 <-> 53 ? Jens Hassler (Jul 17)
- Re: DNS 53 <-> 53 ? Ramin Alidousti (Jul 17)