Re: DNS zone transfer?

[Kiira Triea <kiira-t () mail bsasinc org>]

Hi, 

> I find it in my logs regularly. The first computer (initiating the
> connection) is a www/mail server, nothing to do with DNS, running under
> Linux.

Oh that has a *lot* to do with dns... sendmail and bind are married. 


> Second is a DNS server, using NT.
> It seems that the first one tries to download DNS zone hotmail.com! It
> doesn't make sense!
>
>
> > 07/04-06:24:06.179201 xxx.xxx.xxx.xxx:3211 -> xxx.xxx.xxx.xxx:53
> > TCP TTL:64 TOS:0x0 ID:16519 IpLen:20 DgmLen:71 DF
> > ***AP*** Seq: 0xB3A4D61B  Ack: 0x208246C  Win: 0x7D78  TcpLen: 20
> > 0x0000: 00 E0 18 90 75 23 00 06 29 EE 61 2E 08 00 45 00  ....u#..).a...E.
> > 0x0010: 00 47 40 87 40 00 40 06 B6 9B C3 74 DE 53 C3 74  .G@.@.@....t.S.t
> > 0x0020: DE 51 0C 8B 00 35 B3 A4 D6 1B 02 08 24 6C 50 18  .Q...5......$lP.
> > 0x0030: 7D 78 6E 93 00 00 00 1D 01 85 01 00 00 01 00 00  }xn.............
> > 0x0040: 00 00 00 00 07 68 6F 74 6D 61 69 6C 03 63 6F 6D  .....hotmail.com
> > 0x0050: 00 00 FF 00 01                                   .....

[ snippage of sniffage ]

Well if the originating machine is a mail server then it would
naturally be doing dns lookups in order to send mail out to
plopmail.com and so connecting on port 53 (dns) of the NT running dns
server. What makes you think this is an attempt at a zone
transfer... that only happens between two DNS servers.

Kiira 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users