> -----Original Message----- > From: Greg A. Woods [mailto:woodsat_private] > > [ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ] > > Subject: RE: strange traffic on UDP port 53 > > > > Replies to DNS queries should be coming FROM port 53, > > True, though unfortunately it's not always the case. ... but your further paragraph argues that it is hardly unfortunate at all, since it's *practically always* the case. > > not > > (necessarily) addressed TO port 53. > > If DNS queries are not addressed to port#53 then they're not going to > reach any valid nameserver. While some systems issue DNS requests *from* port 53, others allow them to originate from any (ephemeral) port number. Generally, DNS servers will send their answer from the queried port (53) to the source port of the query, which may or may not be 53. If a UDP packet is FROM and ephemeral port TO port 53, it's almost certainly a DNS *request*, and not a *reply*. And that's the pattern reported in this case. David Gillett ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:06:12 PDT