RE: DNS help
From: larosa, vjay (larosa_vjay@emc.com)
Date: 12/12/02
- Previous message: Valdis.Kletnieks@vt.edu: "Re: Odd entries in my Security Router logs"
- Maybe in reply to: larosa, vjay: "DNS help"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: DNS help"
- Reply: Valdis.Kletnieks@vt.edu: "Re: DNS help"
- Reply: Matt Zimmerman: "Re: DNS help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "larosa, vjay" <larosa_vjay@emc.com> To: "'Valdis.Kletnieks@vt.edu'" <Valdis.Kletnieks@vt.edu>, "larosa, vjay" <larosa_vjay@emc.com> Date: Thu, 12 Dec 2002 14:54:29 -0500
That is exactly what I am trying to figure out. What is the meaning
of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server
makes a request a number is tagged to it, that way when the reply comes
back it can match it up with the request. I just don't know what the meaning
of 1au is.
vjl
-----Original Message-----
From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
Sent: Thursday, December 12, 2002 12:18 PM
To: larosa, vjay
Cc: incidents@securityfocus.com
Subject: Re: DNS help
On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay@emc.com>
said:
> Hello,
>
> These packets were caught using a shadow IDS sensor. I was hoping that
> somebody
> in the list could help me understand what is happening below. I am
familiar
> with snort
> and tcpdump, as well as the concept of packet fragmentation. I am mostly
> interested in
> finding out about the DNS requests being made, and why they are coming
back
> fragmented.
Given that they fragged at 1480, I'd suspect you're going through a VPN
at some point. You're going to their nameserver to look something up
and the replies are gettng fragged on the way.
Is your DNS server a secondary for a zone hosted at outside.guy.com? This
looks like it might be AXFR traffic. It's hard to tell without knowing what
IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant
I could tell you more.
> 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
> [1au][|domain] (DF)
> 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
> 56162[|domain] (frag 48818:1480@0+)
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: Valdis.Kletnieks@vt.edu: "Re: DNS help"
- Previous message: Valdis.Kletnieks@vt.edu: "Re: Odd entries in my Security Router logs"
- Maybe in reply to: larosa, vjay: "DNS help"
- Next in thread: Valdis.Kletnieks@vt.edu: "Re: DNS help"
- Reply: Valdis.Kletnieks@vt.edu: "Re: DNS help"
- Reply: Matt Zimmerman: "Re: DNS help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
