Re: Question on IIS servers and reverse lookup
From: Matt Ostiguy (ostiguy_at_gmail.com)
Date: 03/10/05
- Previous message: Craig, Tobin (OIG): "RE: Basic question"
- In reply to: Maxime Ducharme: "Question on IIS servers and reverse lookup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Mar 2005 16:34:01 -0500 To: Maxime Ducharme <mducharme@cybergeneration.com>
>
> I remember that nslookup() function of NT kernel
> uses netbios if DNS doesnt reply anything
> (correct me if i'm wrong).
>
This is roughly it (I cannot swear to the implementation details, only
the real world results). Just one of my mailservers have generated
1824 blocked outbound requests to port 137 so far today. A cursory
check shows that they are going to hosts with no reverse dns records.
When there are none, windows will issue a direct netbios name query.
A nbtstat -A x.x.x.x creates the same results - issue a direct netbios
name query to the remote host.
I don't have a pure IIS machine handy to confirm if it is the IIS
reverse logging setting that is specifically generating those name
resolution packets, but my logs indicate that my www log crunching
correlates highly with the generation of such packets - every hour
something calls the windows name resolution API, and it cycles through
the various methods, generating them.
Matt Ostiguy
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Craig, Tobin (OIG): "RE: Basic question"
- In reply to: Maxime Ducharme: "Question on IIS servers and reverse lookup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
