Unexpected connection (TCP 53)
Mathias Körber
mathias at koerber.org
Sun Oct 29 12:00:50 UTC 2000
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Hi users:
>=20
> Bind 8.2.2-p5 is working on Solaris 2.6 which is userd as
> DNS/WWW server.
>=20
> Now I found a strange phenomenon and want to make sure
> whether it causes from Bind 8.2.2-p5. or not.
>=20
> The phenomenon is that IDS detected a packet tried to=20
> connect from my server to Unknown Name server, directly.
>=20
> src host : My Server ( DNS, WWW )
> src port : High port
> dst host : ne3.europe.yahoo.com <-- "Unknown" server !
> dst port : 53 (tcp)
>=20
> I don't remember that I wrote "ne3...com" in my configuration.
> No such IP addr. (of ne3....com) were found in the
> named.conf, /etc/named/*. or /etc/resolv.conf
>=20
> I tryed to find which process executed this connection using=20
> command like netstat, but I couldn't find it out.=20
> (because connection had already closed)
>=20
> I haven't seen this phenomenon more than once, but
> I'm afraid something wrong happened on my server ....
No. This behaviour is OK. It seems that your nameserver first
contacted the nameserver in question using TCP to resolve some
host (or MX record) in the yahoo.com zone, but received a reply
which was too large to fit into a UDP packet (and had the TC=3Dtruncated =
bit set).
Proper behaviour in this case is for your nameserver to re-try that =
query using
a TCP connection, which is nbot subject to the packet-size limit, and =
thus can
contain more data.
More information about the bind-users
mailing list