Not complaining who's first, just letting you know their story seems to track. See below. On Wed, 16 May 2001 10:46:11 -0400, "Keith.Morgan" <Keith.Morganat_private> wrote: >Ok folks. I've done some investigation with a number of providers. Here's >what we believe is happening. There's an organization called "mirror-image" >(see http://www.mirror-image.com running an application that "tries to find >shortest vector distance between http request, and http reply." Thier >application used to use high ports, but apparently, they've recently changed >to using port 53. I'll be contacting thier development team today to ask >why they would use port 53 (to avoid firewalls dropping the packets?) as >opposed to 80, or high ports. > >Every provider I contacted (the ones that were even vaguely cooperative) >hosted, or otherwise did business with these folks at mirror-image. It >appears that the mystery may be solved. I ran this to ground with exactly the same results in July 2000. That was back when they were using the high ports. http://www.incidents.org/archives/y2k/070700.htm You may note from that tcpdump trace that they ran a server parallel to their DNS server. That parallel server first bounced a DNS Query Response off the high port of the requesting client. Then the real DNS server responded to the requesting client with a valid DNS Query Response. Seems like they determined the bandwidth overhead is far less with a SYN packet too. Matt 2001-05-17 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:19:29 PDT