Weird DNS Problems
Kevin Darcy
kcd at daimlerchrysler.com
Thu Nov 10 22:33:04 UTC 2005
cmtu.mt.ns.els-gms.att.net is one of the nameservers for the
22.12.in-addr.arpa domain, so it's perfectly normal that it would be
responding to a reverse lookup of 12.22.249.3.
A better question is: why is this showing up on your IDS? Perhaps you
should ask your IDS vendor that question.
- Kevin
erik.c.fournier at nga.mil wrote:
>I was reading about the post of the same name, and I saw an IP that
>I've seen on our IDS. Here's a quick snipet of it:
>
>
> (Towards) 16:45:32
>SOURCE: 12.127.16.69 cmtu.mt.ns.els-gms.att.net
>DEST: 164.214.X.X DNS Server
> 45 00 00 96 ab 0b 40 00 f7 11 14 61 0c 7f 10 45 a4 d6 02 50
>E..... at ....a...E...P
> 00 35 00 35 00 82 37 a9 ee a6 84 03 00 01 00 00 00 01 00 00
>.5.5..7.............
> 01 33 03 32 34 39 02 32 32 02 31 32 07 69 6e 2d 61 64 64 72
>.3.249.22.12.in-addr
> 04 61 72 70 61 00 00 0c 00 01 03 32 34 39 02 32 32 02 31 32
>.arpa......249.22.12
> 07 69 6e 2d 61 64 64 72 04 61 72 70 61 00 00 06 00 01 00 00
>.in-addr.arpa.......
> 0e 10 00 2e 04 68 63 63 37 07 68 61 72 66 6f 72 64 03 65 64
>.....hcc7.harford.ed
> 75 00 05 61 64 6d 69 6e c0 51 00 00 00 29 00 00 03 84 00 00
>u..admin.Q...)......
> 02 58 00 01 51 80 00 00 0e 10 .X..Q.....
>
> EVENT1: [DOS:DDNSF] (udp,dp=53,sp=53)
>
>Who is/are cmtu.mt.ns.els-gms.att.net (12.127.16.69 )
>is this a misconfig. box?
>
>
>
>E
>
>
>
>
>
>
>
More information about the bind-users
mailing list