DNS port requests
Kevin Darcy
kcd at daimlerchrysler.com
Wed Sep 6 22:15:17 UTC 2006
Rasheed Darras wrote:
> What the meaning of these requests? Why a customer query my DNS for
> "port=xxxx" ???
>
> Rasheed
>
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
> Of Kevin Darcy
> Sent: Tuesday, September 05, 2006 11:12 PM
> To: bind-users at isc.org
> Subject: Re: DNS port requests
>
> Rasheed Darras wrote:
>
>> Dears,
>>
>> If I captured DNS packets using snoop, I found many requests like:
>>
>> "Customer IP" > "My DNS IP" DNS C port=16931 "Customer IP" > "My DNS
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=2949
>> "Customer IP" > "My DNS IP" DNS C port=16931 "Customer IP" > "My DNS
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=16932
>> "Customer IP" > "My DNS IP" DNS C port=16932 "Customer IP" > "My DNS
>> IP" DNS C port=16932 "Customer IP" > "My DNS IP" DNS C port=31864
>> "Customer IP" > "My DNS IP" DNS C port=31875 "Customer IP" > "My DNS
>> IP" DNS C port=2949
>>
>> What are these requests?
>>
>>
> Since they're coming to the "DNS" (53) port on your DNS server, I'd assume
> they were DNS queries.
>
> Or, do you consider this traffic unusual in some way?
>
Oh, I see what you're saying now. I was misreading the output. It is a
_little_ odd for someone to be querying "port=xxxxx", but on the other
hand it doesn't really surprise me that much, since I eyeball our query
logs periodically and see all manner of crap there. Oftentimes a log
analyzer will misparse its input and then misinterpret something that
isn't meant to be a hostname -- e.g. some error text -- as a hostname,
and try to resolve it into an IP address. So sometimes I see query
sequences in rapid succession from the same client like ("file", "not",
"found") or whatever.
I think something similar is happening here, where a log analyzer is
mistaking the "port" field as a "hostname" field and then trying to
resolve the contents of that field. My guess would be that it's a
firewall or intrusion-prevention/-detection log they're trying to
analyze, since most other stuff doesn't really care about ports _per_se_.
- Kevin
More information about the bind-users
mailing list