lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003a01c44986$43d8bf20$6602a8c0@laptop>
From: matthew at ploessel.com (Matthew Ploessel)
Subject: Strange TCP/IP DNS traffic

Shachar,

UDP port 53 is normally used for general dns traffic, however anytime
there is more then 576 bytes of data being transferred the DNS protocol
migrates up to TCP. Common reasons for this is for zone transfers or
overall large server replies. Most likely your bind server or a user
and/or user application is doing some type of resolving which returns a
large reply and thus traggering the use of tcp traffic..  I haven't
looked up the details of the rfc lately, but tcp is part of the dns
protocol, although just like you, many environments block it. If you
still want to, setup tcpdump for afew days and see if you get any
explaination for whats going on.

-Matt



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Shachar
Shemesh
Sent: Thursday, June 03, 2004 7:35 AM
To: full-disclosure@...sys.com
Subject: [Full-Disclosure] Strange TCP/IP DNS traffic


Hi all,

A few days ago I started seeing outbound TCP connection on port 53, 
aimed at the .com NS servers. These were blocked by the firewall. I 
realize that this does not violate any RFC, but it's still unusual.

The outbound traffic is not generated by the local bind installation, 
which was asked to bind to port 53 for outbound traffic. Also, 
/etc/resolv.conf lists 127.0.0.1 as the nameserver, so as far as I 
understand such traffic should not be initiated by user programs.

Anyone has any idea what that may be?

             Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ