On Thu, 28 Nov 2002 12:47:38 -0600 "J. Craig Woods"
<[EMAIL PROTECTED]> wrote:
> Pierre,
>
> Very interresting, can you tell us more, i.e. are these conventional
> dns_gueries? Are these being sent and received on port 53 (or some other
>
> port)? What is the proto, tcp or udp? What kind of flags are set in
> the IP headers? What does top (or a "ps -aux") show? Are these queries
> going out to gtld and/or root servers, i.e. where are the destinations
> and/or sources? Do you see any aberrations in your syslog?
>
Hey Craig!
Here's a typical query/response pair... just out to the first NS listed in
/etc/resolv.conf... Nothing above the radar on top/ps... Went out for
turkey dinner; when I got back the queries had stopped... and I restarted
the ethereal trace without saving the original... :P The source port was
incrementing; but not on every query... I'll keep an eye on it for a
while...
Frame 10250 (76 bytes on wire, 76 bytes captured)
Arrival Time: Nov 28, 2002 13:05:58.884533000
Time delta from previous packet: 19.869979000 seconds
Time relative to first packet: 15496.958553000 seconds
Frame Number: 10250
Packet Length: 76 bytes
Capture Length: 76 bytes
Ethernet II, Src: 00:d0:b7:ad:a0:6c, Dst: 00:04:5a:6b:35:5b
Destination: 00:04:5a:6b:35:5b (The_6b:35:5b)
Source: 00:d0:b7:ad:a0:6c (INTEL_ad:a0:6c)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.1.14 (192.168.1.14), Dst Addr:
207.69.188.186 (207.69.188.186)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 62
Identification: 0xae6e
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x3e8a (correct)
Source: 192.168.1.14 (192.168.1.14)
Destination: 207.69.188.186 (207.69.188.186)
User Datagram Protocol, Src Port: 34118 (34118), Dst Port: domain (53)
Source port: 34118 (34118)
Destination port: domain (53)
Length: 42
Checksum: 0x9821 (correct)
Domain Name System (query)
Transaction ID: 0x463d
Flags: 0x0100 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated
data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
mandrakesoft.com: type A, class inet
Name: mandrakesoft.com
Type: Host address
Class: inet
0000 00 04 5a 6b 35 5b 00 d0 b7 ad a0 6c 08 00 45 00 ..Zk5[.....l..E.
0010 00 3e ae 6e 40 00 40 11 3e 8a c0 a8 01 0e cf 45 .>.n@.@.>......E
0020 bc ba 85 46 00 35 00 2a 98 21 46 3d 01 00 00 01 ...F.5.*.!F=....
0030 00 00 00 00 00 00 0c 6d 61 6e 64 72 61 6b 65 73 .......mandrakes
0040 6f 66 74 03 63 6f 6d 00 00 01 00 01 oft.com.....
Frame 10251 (181 bytes on wire, 181 bytes captured)
Arrival Time: Nov 28, 2002 13:05:59.022457000
Time delta from previous packet: 0.137924000 seconds
Time relative to first packet: 15497.096477000 seconds
Frame Number: 10251
Packet Length: 181 bytes
Capture Length: 181 bytes
Ethernet II, Src: 00:04:5a:6b:35:5b, Dst: 00:d0:b7:ad:a0:6c
Destination: 00:d0:b7:ad:a0:6c (INTEL_ad:a0:6c)
Source: 00:04:5a:6b:35:5b (The_6b:35:5b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 207.69.188.186 (207.69.188.186), Dst Addr:
192.168.1.14 (192.168.1.14)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 167
Identification: 0x1f76
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 55
Protocol: UDP (0x11)
Header checksum: 0x161a (correct)
Source: 207.69.188.186 (207.69.188.186)
Destination: 192.168.1.14 (192.168.1.14)
User Datagram Protocol, Src Port: domain (53), Dst Port: 34118 (34118)
Source port: domain (53)
Destination port: 34118 (34118)
Length: 147
Checksum: 0xec04 (correct)
Domain Name System (response)
Transaction ID: 0x463d
Flags: 0x8180 (Standard query response, No error)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority
for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive
queries
.... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 1
Authority RRs: 2
Additional RRs: 2
Queries
mandrakesoft.com: type A, class inet
Name: mandrakesoft.com
Type: Host address
Class: inet
Answers
mandrakesoft.com: type A, class inet, addr 212.43.244.20
Name: mandrakesoft.com
Type: Host address
Class: inet
Time to live: 20 hours, 16 minutes, 19 seconds
Data length: 4
Addr: 212.43.244.20
Authoritative nameservers
mandrakesoft.com: type NS, class inet, ns moseisley.mandrax.org
Name: mandrakesoft.com
Type: Authoritative name server
Class: inet
Time to live: 20 hours, 16 minutes, 19 seconds
Data length: 23
Name server: moseisley.mandrax.org
mandrakesoft.com: type NS, class inet, ns dagobah.mandrax.org
Name: mandrakesoft.com
Type: Authoritative name server
Class: inet
Time to live: 20 hours, 16 minutes, 19 seconds
Data length: 10
Name server: dagobah.mandrax.org
Additional records
moseisley.mandrax.org: type A, class inet, addr 63.209.80.226
Name: moseisley.mandrax.org
Type: Host address
Class: inet
Time to live: 1 day, 20 hours, 16 minutes, 19 seconds
Data length: 4
Addr: 63.209.80.226
dagobah.mandrax.org: type A, class inet, addr 63.209.80.227
Name: dagobah.mandrax.org
Type: Host address
Class: inet
Time to live: 1 day, 20 hours, 16 minutes, 19 seconds
Data length: 4
Addr: 63.209.80.227
0000 00 d0 b7 ad a0 6c 00 04 5a 6b 35 5b 08 00 45 00 .....l..Zk5[..E.
0010 00 a7 1f 76 00 00 37 11 16 1a cf 45 bc ba c0 a8 ...v..7....E....
0020 01 0e 00 35 85 46 00 93 ec 04 46 3d 81 80 00 01 ...5.F....F=....
0030 00 01 00 02 00 02 0c 6d 61 6e 64 72 61 6b 65 73 .......mandrakes
0040 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 oft.com.........
0050 00 01 00 01 1d 13 00 04 d4 2b f4 14 c0 0c 00 02 .........+......
0060 00 01 00 01 1d 13 00 17 09 6d 6f 73 65 69 73 6c .........moseisl
0070 65 79 07 6d 61 6e 64 72 61 78 03 6f 72 67 00 c0 ey.mandrax.org..
0080 0c 00 02 00 01 00 01 1d 13 00 0a 07 64 61 67 6f ............dago
0090 62 61 68 c0 48 c0 3e 00 01 00 01 00 02 6e 93 00 bah.H.>......n..
00a0 04 3f d1 50 e2 c0 61 00 01 00 01 00 02 6e 93 00 .?.P..a......n..
00b0 04 3f d1 50 e3 .?.P.
> Might be fun to sleuth this thing out....
If it stay around long enough to get a bead on it... :>
> drjung
Pierre
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
