[ On Monday, June 9, 2003 at 11:38:08 (-0700), David Gillett wrote: ] > Subject: RE: strange traffic on UDP port 53 > > > -----Original Message----- > > From: Greg A. Woods [mailto:woodsat_private] > > > > [ On Friday, June 6, 2003 at 10:35:34 (-0700), David Gillett wrote: ] > > > Subject: RE: strange traffic on UDP port 53 > > > > > > Replies to DNS queries should be coming FROM port 53, > > > > True, though unfortunately it's not always the case. > > ... but your further paragraph argues that it is hardly unfortunate at > all, since it's *practically always* the case. Indeed -- I was confusing "replies to DNS queries" with "DNS queries". :-) (because usually I avoid the confusion by calling then "DNS replies") DNS queries should have a source port of 53, but often don't. DNS queries MUST have a destination port of 53. DNS replies simply swap the source and destination (addresses and port numbers together) and out they go. > If a UDP packet is FROM and ephemeral port TO port 53, it's almost > certainly a DNS *request*, and not a *reply*. And that's the pattern > reported in this case. Indeed it is! -- Greg A. Woods +1 416 218-0098; <g.a.woodsat_private>; <woodsat_private> Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:21:37 PDT