Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: FW: Question for DNS pros
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 25 Jul 2004 13:57:53 -0500

--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten <vanpattens () knology net> wrote:


It seems to me you could do this without setting up a dns server. Just
tcpdump the traffic or sniff or snoop the traffic. It you set it up with
a snaplength of 1500 you'll get enough of the packet to see  exactly what
dns query is being asked...something like
tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4

And
--On Sunday, July 25, 2004 11:41 AM +0200 Paul Rolland <rol () witbe net> wrote:

Update your tcpdump or verify the syntax.
I just tried :

tcpdump -v -s 1500 -n udp port 53

on our NS server, and it shows the complete details of the request.

09:38:50.669060 eth0 < 67.166.39-62.rev.gaoland.net.3746 >
sim-01.PAR.witbe.net.domain: 34277+ PTR? 250.92.168.192.in-addr.arpa. (45)
(DF) (ttl 61, id 145)

For the last time, I have *already* done this. With both a snaplen of 1024 and a snaplen of 4096. It *hasn't* produced anything useful unless someone thinks *this* is useful (I'm using tcpdump on FreeBSD 4.9 RELEASE.):

tcpdump -c 100 -xX -s 4069 -i xl0 -p -w x.x.dump 'udp && host x.x.x.x && port 53' (Our IP has been changed to x.x.x.x)

I've altered the real hostname on our network to "targethost" and altered the querying IP to x.x.x.x for privacy reasons. All these queries are *from* the same host. This pattern is *typical* of what I'm seeing from a *number of diverse hosts* from all over the world.

22:06:10.294071 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29462 NS? . (17) 22:06:11.043050 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29463 NS? . (17) 22:06:11.791218 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29464 NS? . (17) 22:06:13.298805 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30290 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.052600 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30291 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.799270 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30292 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:15.775488 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30818 NS? . (17) 22:06:16.526565 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30819 NS? . (17) 22:06:17.277716 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30820 NS? . (17) 22:06:18.776723 x.x.x.x.2566 > targethost.utdallas.edu.domain: 31424 PTR? 63.37.110.129.in-addr.arpa. (44)

Comparing "real" queries to a functioning nameserver to what I'm trying to figure out is apples to oranges. If these *were* real queries, I wouldn't even have posted this here. I would have already figured it out.

It really would help if folks would *read* the list before replying.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault