Security Incidents mailing list archives
Re: Large DNS scans from 211.53.208.178
From: RichardS () ADV NET NZ (Richard Stevenson)
Date: Wed, 3 May 2000 12:26:12 +1200
On 1 May 2000, at 1:49, Seth Georgion wrote:
This is very common, especially from Korea and should be seen as obvious attempts to find Zone Transferable hosts and should be secured against by disallowing Unauthorized Zone Transfers. Of course any one who has an even minimal computer education should be aware that all zone transfers are by nature TCP based and that all DNS Lookups are by nature UDP based. Thus it would follow that no one, not even the village idiot, would allow TCP 53 through the firewall.
That's not quite correct. UDP-based DNS replies have a maximum size (about 500 bytes, IIRC), beyond which they include a flag stating that the reply was truncated. The client resolver may then query again using TCP, which allows larger replies, to get the complete data set they asked for. Regards Richard
Current thread:
- Large DNS scans from 211.53.208.178 alann lopes (Apr 28)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)
- Re: Large DNS scans from 211.53.208.178 Richard Stevenson (May 02)
- Re: Large DNS scans from 211.53.208.178 Bryan Seitz (Apr 30)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- <Possible follow-ups>
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
(Thread continues...)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)