Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: DNS servers outbound connections.
From: Philip Bartholomew <Philip.Bartholomew () cms co uk>
Date: Wed, 2 Oct 2002 07:59:27 +0100 
I think your on the money there, David
Thanks, everyone who replied for you help.

Philip

"...isn't is odd that the word innuendo is so suggestive?..."

-----Original Message-----
From: NESTING, DAVID M (SBCSI) [mailto:dn3723 () sbc com]
Sent: 01 October 2002 16:06
To: 'Philip Bartholomew'
Cc: 'incidents () securityfocus com'
Subject: RE: DNS servers outbound connections.


There's no such thing as a UDP "connection" really.  Are you sure these
aren't DNS replies to requests made by these remote hosts?  

Frequently if a host tries to perform DNS resolution, it may end up querying
more than one server in an attempt to get a response.  If it gets a response
from one, it may tear down the UDP socket even though more than one server
was queried.  If there are any other replies that get delivered afterward,
they may get an ICMP Unreachable message generated when they arrive.  This
may make it seem like the DNS server is trying to send packets somewhere
they shouldn't be going.

If these are web servers, perhaps they have DNS resolution turned on in
their logging and you have a user on your network making HTTP requests
against these servers.

Just some thoughts..

David

From: Philip Bartholomew [mailto:Philip.Bartholomew () cms co uk]

I wonder If any of you fine fellows can help. My 2 Nameservers are making
a number of  UDP connections "10-20 a minute" originating on port 53 to
alternating dest ports e.g.: 1113, 56008, 54002 tries about ten


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]