lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2147483647.1090763873@[192.168.2.102]>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: FW: Question for DNS pros

--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten 
<vanpattens@...logy.net> wrote:

>
> It seems to me you could do this without setting up a dns server. Just
> tcpdump the traffic or sniff or snoop the traffic. It you set it up with
> a snaplength of 1500 you'll get enough of the packet to see  exactly what
> dns query is being asked...something like
> tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
>
And
--On Sunday, July 25, 2004 11:41 AM +0200 Paul Rolland <rol@...be.net> 
wrote:
>
> Update your tcpdump or verify the syntax.
> I just tried :
>
> tcpdump -v -s 1500 -n udp port 53
>
> on our NS server, and it shows the complete details of the request.
>
> 09:38:50.669060 eth0 < 67.166.39-62.rev.gaoland.net.3746 >
> sim-01.PAR.witbe.net.domain: 34277+ PTR? 250.92.168.192.in-addr.arpa. (45)
> (DF) (ttl 61, id 145)

For the last time, I have *already* done this.  With both a snaplen of 1024 
and a snaplen of 4096.  It *hasn't* produced anything useful unless someone 
thinks *this* is useful  (I'm using tcpdump on FreeBSD 4.9 RELEASE.):

tcpdump -c 100 -xX -s 4069 -i xl0 -p -w x.x.dump 'udp && host x.x.x.x && 
port 53' (Our IP has been changed to x.x.x.x)

I've altered the real hostname on our network to "targethost" and altered 
the querying IP to x.x.x.x for privacy reasons.  All these queries are 
*from* the same host.  This pattern is *typical* of what I'm seeing from a 
*number of diverse hosts* from all over the world.

22:06:10.294071 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29462 NS? . 
(17)
22:06:11.043050 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29463 NS? . 
(17)
22:06:11.791218 x.x.x.x.2566 > targethost.utdallas.edu.domain:  29464 NS? . 
(17)
22:06:13.298805 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30290 PTR? 
63.37.110.129.in-addr.arpa. (44)
22:06:14.052600 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30291 PTR? 
63.37.110.129.in-addr.arpa. (44)
22:06:14.799270 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30292 PTR? 
63.37.110.129.in-addr.arpa. (44)
22:06:15.775488 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30818 NS? . 
(17)
22:06:16.526565 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30819 NS? . 
(17)
22:06:17.277716 x.x.x.x.2566 > targethost.utdallas.edu.domain:  30820 NS? . 
(17)
22:06:18.776723 x.x.x.x.2566 > targethost.utdallas.edu.domain:  31424 PTR? 
63.37.110.129.in-addr.arpa. (44)

Comparing "real" queries to a functioning nameserver to what I'm trying to 
figure out is apples to oranges.  If these *were* real queries, I wouldn't 
even have posted this here.  I would have already figured it out.

It really would help if folks would *read* the list before replying.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ