On Thu, 28 Nov 2002 12:47:38 -0600 "J. Craig Woods" <[EMAIL PROTECTED]> wrote:
> Pierre, > > Very interresting, can you tell us more, i.e. are these conventional > dns_gueries? Are these being sent and received on port 53 (or some other > > port)? What is the proto, tcp or udp? What kind of flags are set in > the IP headers? What does top (or a "ps -aux") show? Are these queries > going out to gtld and/or root servers, i.e. where are the destinations > and/or sources? Do you see any aberrations in your syslog? > Hey Craig! Here's a typical query/response pair... just out to the first NS listed in /etc/resolv.conf... Nothing above the radar on top/ps... Went out for turkey dinner; when I got back the queries had stopped... and I restarted the ethereal trace without saving the original... :P The source port was incrementing; but not on every query... I'll keep an eye on it for a while... Frame 10250 (76 bytes on wire, 76 bytes captured) Arrival Time: Nov 28, 2002 13:05:58.884533000 Time delta from previous packet: 19.869979000 seconds Time relative to first packet: 15496.958553000 seconds Frame Number: 10250 Packet Length: 76 bytes Capture Length: 76 bytes Ethernet II, Src: 00:d0:b7:ad:a0:6c, Dst: 00:04:5a:6b:35:5b Destination: 00:04:5a:6b:35:5b (The_6b:35:5b) Source: 00:d0:b7:ad:a0:6c (INTEL_ad:a0:6c) Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.1.14 (192.168.1.14), Dst Addr: 207.69.188.186 (207.69.188.186) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 62 Identification: 0xae6e Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3e8a (correct) Source: 192.168.1.14 (192.168.1.14) Destination: 207.69.188.186 (207.69.188.186) User Datagram Protocol, Src Port: 34118 (34118), Dst Port: domain (53) Source port: 34118 (34118) Destination port: domain (53) Length: 42 Checksum: 0x9821 (correct) Domain Name System (query) Transaction ID: 0x463d Flags: 0x0100 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 0 Queries mandrakesoft.com: type A, class inet Name: mandrakesoft.com Type: Host address Class: inet 0000 00 04 5a 6b 35 5b 00 d0 b7 ad a0 6c 08 00 45 00 ..Zk5[.....l..E. 0010 00 3e ae 6e 40 00 40 11 3e 8a c0 a8 01 0e cf 45 .>.n@.@.>......E 0020 bc ba 85 46 00 35 00 2a 98 21 46 3d 01 00 00 01 ...F.5.*.!F=.... 0030 00 00 00 00 00 00 0c 6d 61 6e 64 72 61 6b 65 73 .......mandrakes 0040 6f 66 74 03 63 6f 6d 00 00 01 00 01 oft.com..... Frame 10251 (181 bytes on wire, 181 bytes captured) Arrival Time: Nov 28, 2002 13:05:59.022457000 Time delta from previous packet: 0.137924000 seconds Time relative to first packet: 15497.096477000 seconds Frame Number: 10251 Packet Length: 181 bytes Capture Length: 181 bytes Ethernet II, Src: 00:04:5a:6b:35:5b, Dst: 00:d0:b7:ad:a0:6c Destination: 00:d0:b7:ad:a0:6c (INTEL_ad:a0:6c) Source: 00:04:5a:6b:35:5b (The_6b:35:5b) Type: IP (0x0800) Internet Protocol, Src Addr: 207.69.188.186 (207.69.188.186), Dst Addr: 192.168.1.14 (192.168.1.14) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 167 Identification: 0x1f76 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 55 Protocol: UDP (0x11) Header checksum: 0x161a (correct) Source: 207.69.188.186 (207.69.188.186) Destination: 192.168.1.14 (192.168.1.14) User Datagram Protocol, Src Port: domain (53), Dst Port: 34118 (34118) Source port: domain (53) Destination port: 34118 (34118) Length: 147 Checksum: 0xec04 (correct) Domain Name System (response) Transaction ID: 0x463d Flags: 0x8180 (Standard query response, No error) 1... .... .... .... = Response: Message is a response .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 1 Authority RRs: 2 Additional RRs: 2 Queries mandrakesoft.com: type A, class inet Name: mandrakesoft.com Type: Host address Class: inet Answers mandrakesoft.com: type A, class inet, addr 212.43.244.20 Name: mandrakesoft.com Type: Host address Class: inet Time to live: 20 hours, 16 minutes, 19 seconds Data length: 4 Addr: 212.43.244.20 Authoritative nameservers mandrakesoft.com: type NS, class inet, ns moseisley.mandrax.org Name: mandrakesoft.com Type: Authoritative name server Class: inet Time to live: 20 hours, 16 minutes, 19 seconds Data length: 23 Name server: moseisley.mandrax.org mandrakesoft.com: type NS, class inet, ns dagobah.mandrax.org Name: mandrakesoft.com Type: Authoritative name server Class: inet Time to live: 20 hours, 16 minutes, 19 seconds Data length: 10 Name server: dagobah.mandrax.org Additional records moseisley.mandrax.org: type A, class inet, addr 63.209.80.226 Name: moseisley.mandrax.org Type: Host address Class: inet Time to live: 1 day, 20 hours, 16 minutes, 19 seconds Data length: 4 Addr: 63.209.80.226 dagobah.mandrax.org: type A, class inet, addr 63.209.80.227 Name: dagobah.mandrax.org Type: Host address Class: inet Time to live: 1 day, 20 hours, 16 minutes, 19 seconds Data length: 4 Addr: 63.209.80.227 0000 00 d0 b7 ad a0 6c 00 04 5a 6b 35 5b 08 00 45 00 .....l..Zk5[..E. 0010 00 a7 1f 76 00 00 37 11 16 1a cf 45 bc ba c0 a8 ...v..7....E.... 0020 01 0e 00 35 85 46 00 93 ec 04 46 3d 81 80 00 01 ...5.F....F=.... 0030 00 01 00 02 00 02 0c 6d 61 6e 64 72 61 6b 65 73 .......mandrakes 0040 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 oft.com......... 0050 00 01 00 01 1d 13 00 04 d4 2b f4 14 c0 0c 00 02 .........+...... 0060 00 01 00 01 1d 13 00 17 09 6d 6f 73 65 69 73 6c .........moseisl 0070 65 79 07 6d 61 6e 64 72 61 78 03 6f 72 67 00 c0 ey.mandrax.org.. 0080 0c 00 02 00 01 00 01 1d 13 00 0a 07 64 61 67 6f ............dago 0090 62 61 68 c0 48 c0 3e 00 01 00 01 00 02 6e 93 00 bah.H.>......n.. 00a0 04 3f d1 50 e2 c0 61 00 01 00 01 00 02 6e 93 00 .?.P..a......n.. 00b0 04 3f d1 50 e3 .?.P. > Might be fun to sleuth this thing out.... If it stay around long enough to get a bead on it... :> > drjung Pierre
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com