Re: DNS help

On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjay@emc.com> said:
> Hello,
>
> These packets were caught using a shadow IDS sensor. I was hoping that
> somebody
> in the list could help me understand what is happening below. I am familiar
> with snort
> and tcpdump, as well as the concept of packet fragmentation. I am mostly
> interested in
> finding out about the DNS requests being made, and why they are coming back
> fragmented.

Given that they fragged at 1480, I'd suspect you're going through a VPN at some point. You're going to their nameserver to look something up and the replies are gettng fragged on the way.

Is your DNS server a secondary for a zone hosted at outside.guy.com? This looks like it might be AXFR traffic. It's hard to tell without knowing what IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant I could tell you more.

> 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162

> 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek