Re: Strange traffic from ISP dns server

To: debian-firewall@lists.debian.org
Subject: Re: Strange traffic from ISP dns server
From: Martin Berg <martin@default.nu>
Date: Sun, 13 Jan 2002 23:11:01 +0100
Message-id: <[🔎] 3C4205F5.80408@default.nu>
References: <[🔎] 3C41BC0D.7040300@telia.com>

>I pretty sure now that this is just snort reporting when the dns-server
>sends back the data from the lookup. The dns-server just happens to >send
>it to some port that snort is looking for traffic on.

Correct, the DNS returns to the port you used for sending the query, arandom port above 1023, it should also be different number for eachquery I guess.


>But wont this make
>it very easy to hide your attempts to connect to a backdoor ( or
>something ), you spoof yourself as 10.0.0.1 and the person reading the
>logs will just ignore that since they know that it's just the >dns-server?

I don't think so, if you spoof your source address you will never getany answers back, the host will return the data to 10.0.0.1.

You will also need to source with port 53 to make it look lika a DNS answer.

And telia.com's solution with the DNS:es at private numbers is, IMHO anexellent solution to ensure that only their customers is able to use theservice.


Best regards

Martin Berg

Reply to:

Follow-Ups:
- Re: Strange traffic from ISP dns server
  - From: "Paul Tod Rieger" <prie@abl.com>

References:
- Strange traffic from ISP dns server
  - From: Peter Jönsson <mindjiver@telia.com>

Prev by Date: Need help for intergrating SAMBA into firewall script
Next by Date: ipmasqadm portfw
Previous by thread: Re: Strange traffic from ISP dns server
Next by thread: Re: Strange traffic from ISP dns server
Index(es):
- Date
- Thread