Re: Strange traffic from ISP dns server
>I pretty sure now that this is just snort reporting when the dns-server
>sends back the data from the lookup. The dns-server just happens to >send
>it to some port that snort is looking for traffic on.
Correct, the DNS returns to the port you used for sending the query, a
random port above 1023, it should also be different number for each
query I guess.
>But wont this make
>it very easy to hide your attempts to connect to a backdoor ( or
>something ), you spoof yourself as 10.0.0.1 and the person reading the
>logs will just ignore that since they know that it's just the >dns-server?
I don't think so, if you spoof your source address you will never get
any answers back, the host will return the data to 10.0.0.1.
You will also need to source with port 53 to make it look lika a DNS answer.
And telia.com's solution with the DNS:es at private numbers is, IMHO an
exellent solution to ensure that only their customers is able to use the
service.
Best regards
Martin Berg
Reply to: