DNS port requests

Kevin Darcy kcd at daimlerchrysler.com
Wed Sep 6 22:15:17 UTC 2006 

Rasheed Darras wrote:
> What the meaning of these requests? Why a customer query my DNS for
> "port=xxxx" ???
>
> Rasheed 
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
> Of Kevin Darcy
> Sent: Tuesday, September 05, 2006 11:12 PM
> To: bind-users at isc.org
> Subject: Re: DNS port requests
>
> Rasheed Darras wrote:
>   
>> Dears,
>>
>> If I captured DNS packets using snoop, I found many requests like:
>>
>> "Customer IP" > "My DNS IP" DNS C port=16931 "Customer IP" > "My DNS 
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=2949 
>> "Customer IP" > "My DNS IP" DNS C port=16931 "Customer IP" > "My DNS 
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=16932 
>> "Customer IP" > "My DNS IP" DNS C port=16932 "Customer IP" > "My DNS 
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=31864 
>> "Customer IP" > "My DNS IP" DNS C port=31875 "Customer IP" > "My DNS 
>> IP" DNS C port=2949
>>
>> What are these requests?
>>   
>>     
> Since they're coming to the "DNS" (53) port on your DNS server, I'd assume
> they were DNS queries.
>
> Or, do you consider this traffic unusual in some way?
>   
Oh, I see what you're saying now. I was misreading the output. It is a 
_little_ odd for someone to be querying "port=xxxxx", but on the other 
hand it doesn't really surprise me that much, since I eyeball our query 
logs periodically and see all manner of crap there. Oftentimes a log 
analyzer will misparse its input and then misinterpret something that 
isn't meant to be a hostname -- e.g. some error text -- as a hostname, 
and try to resolve it into an IP address. So sometimes I see query 
sequences in rapid succession from the same client like ("file", "not", 
"found") or whatever.

I think something similar is happening here, where a log analyzer is 
mistaking the "port" field as a "hostname" field and then trying to 
resolve the contents of that field. My guess would be that it's a 
firewall or intrusion-prevention/-detection log they're trying to 
analyze, since most other stuff doesn't really care about ports _per_se_.

- Kevin

More information about the bind-users mailing list