Hello Bennett, Wednesday, July 17, 2002, 12:32:02 PM, you wrote: BT> If you're seeing both src and dst == 53 in the same packet, then BT> either you've got an unusual resolver, one that is only capable of BT> having one outstanding request to any given server (or one that BT> doesn't care about the ambiguity of having multiple queries with the BT> same ports), or else someone is playing silly games. When people BT> build packet-filtering (as opposed to proxy bastion) firewalls, they BT> often let srcport=53 and/or dstport=53 through, so that DNS will BT> work; people have been known to take advantage of that to run things BT> like CIPE <URL:http://www.inka.de/~bigred/devel/cipe.html> right BT> through such firewalls. While it is unusual, most modern recursive software is designed so that it can initiate requests on port 53 as well. This is often done when the recursive name server is behind a firewall. With BIND it is relatively simple, just use the option: query-source address IP_ADDRESS port 53; I think most versions of BIND come with a comment in the named.conf file about the command, so it is also possible someone enabled just because they could :). Either way, if they really are DNS queries, it is probably not anything to worry about. allan -- Allan Liska allanat_private http://www.allan.org --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 10:00:43 PDT