lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
From: nils at druecke.strg-alt-entf.org (Nils Ketelsen)
Subject: Strange TCP/IP DNS traffic

On Thu, Jun 03, 2004 at 05:35:22PM +0300, Shachar Shemesh wrote:

> The outbound traffic is not generated by the local bind installation, 
> which was asked to bind to port 53 for outbound traffic. Also, 
> /etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I 
> understand such traffic should not be initiated by user programs.
> 
> Anyone has any idea what that may be?

Easiest guess: Some user doing an host or nslookup or something, by hand
choosing to send it to the nameserver the packets are targeted to. Something
like "host -t ns microsoft.com H.GTLD-SERVERS.NET"

Or some stupid application not using the gethostbyname systemcall but
rather implementing it itself. There are some people out there believing
they can do it better than the system call. Most of them screwed it up.

Nils
-- 
Nils Ketelsen  // Mississauga, Canada
43? 35' 13"N, 79? 38' 23"W
mailto:`#!/bin/sh`@...ecke.strg-alt.entf.org
http://druecke.strg-alt-entf.org/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux