Re: strange traffic on UDP port 53

• Previous message: John Costa: "RE: Dameware Malcode? Is anyone aware of it?"
• In reply to: Mike: "RE: strange traffic on UDP port 53"
• Next in thread: Quarantine: "RE: strange traffic on UDP port 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 06 Jun 2003 08:39:52 BST, Mike <mikeat_private>  said:

> belonged to our ISP. On querying them about this odd behavior the
> explanation given (and other evidence seems to bear this out) was that
> our mail server was performing DNS lookups for the delivery of mail and
> on behalf of our internal network as it was configured as a forwarder
> because it was behind a firewall. The IP address in question was merely
> replying to DNS queries which had been forwarded to it by our ISPs'

The scenario there would have your site sending packets with an ephemeral
port number to the DNS server's port 53, and the return packets stopped
at the firewall would have a *source* port 53 and an ephemeral destination.

In the OP's case, the *destination* port was 53, which indicates that somebody
thinks that the mail server target is also providing DNS service.

• application/pgp-signature attachment: stored

• Next message: James C. Slora Jr.: "Re: Help with an odd log file..."
• Previous message: John Costa: "RE: Dameware Malcode? Is anyone aware of it?"
• In reply to: Mike: "RE: strange traffic on UDP port 53"
• Next in thread: Quarantine: "RE: strange traffic on UDP port 53"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 09:07:48 PDT