DNS UDP port 0 activity
Jean-Christophe Smith
jsmith at publichost.com
Fri Sep 1 23:57:59 UTC 2000
Sounds like a scan of some sort. Was it a TCP or UDP packet? if TCP, were
the SYN and FIN flags set? (This is a popular type of scan that hackers use
to detect what os you're running) The reason the destination port was 53 was
because:
A. Many firewalls are configured to just allow DNS traffic through (Some
inexperienced admins have difficulty getting firewalls to play nicely with
DNS)
B. Most admins will think its normal dns traffic
I believe sending the SYN/FIN packet to port 0 creates anomolies on
different oses that can be used to determine os type remotely.
just a theory,
-jc (jsmith at internet-security.com)
-----Original Message-----
From: Hooker, Bruce
To: bind-users at isc.org
Sent: 9/1/00 3:57 PM
Subject: DNS UDP port 0 activity
Howdy Folks,
The staff who support the firewalls at my site have asked
if I know anything about DNS/BIND sending queries from
port 53 to port 0.
Most of the DNS traffic monitored is the normal port 53 to
port 53 and high ports to port 53 but a significant amount
has a destination port of zero (0).
Our firewall is Firewall-1 from Checkpoint.
Any ideas?
Bruce Hooker
More information about the bind-users
mailing list