On Thu, Jul 05, 2001 at 05:25:04PM +0200, Marek Gutkowski wrote:
>
> ----- Original Message -----
> From: "Charles Cazabon" <[EMAIL PROTECTED]>
>
>
> > Perfectly normal behaviour, if Hotmail's DNS is broken, or your resolver
> is
> > broken.
>
> I agree. Hotmail's DNS is broken. That's not the point.
>
> > It doesn't. snort is lying -- don't worry, it lies about a lot of other
> > things, too. Take everything snort says with a grain of salt. Please do
> not
> > followup with any further snort discussion; it's offtopic for this list.
> >
>
> First - thanks for a quick reply.
>
> Snort is just a tool, and my previous post was about qmail, not snort :)
> Snort is not lying. You think it took the packet dump out of the blue sky?
> I also ran tcpdump and it says the same. Is tcpdump also lying?
Snort is lying. tcpdump is being misunderstood* by someone who doesn't
understand the DNS protocol -- and who is being rude to someone who is trying
to help as a result.
* Unless tcpdump is actually saying 'Zone transfer', or showing you AXFR
requests, or something like that. In which case it's lying too. ;) qmail
_does not do AXFR_, nor can it cause an AXFR.
>
> Mail server really tries to connect to the DNS with tcp dport 53. It does.
> It does. I'm sure.
I'm sure it does too. Connections on port 53/TCP _do not_ have to be
zone transfer requests. RTFM, RFC 1035. Sounds like your qmail might
require the big-dns patch.** You should be able to find it on the qmail
home page.
** Odd, though, as my queries for hotmail MX records show 504 bytes,
inside the limit for UDP....They seem to have intentionally stayed
inside this limit, on purpose. Could we see the results of (both or
either):
dig mx hotmail.com @ns1.hotmail.com
dnsq mx hotmail.com ns1.hotmail.com
Specifically, I'd like to see the byte count.
--
Greg White
