[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [Full-Disclosure] Question for DNS pros



Hello,

> > dns query is being asked...something like
> > tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4
> >
> I already did this, and I already posted it here.  It didn't reveal 
> anything that I wasn't already aware of - ns requests and ptr 
> requests for 
> that IP.

Update your tcpdump or verify the syntax.
I just tried :

tcpdump -v -s 1500 -n udp port 53

on our NS server, and it shows the complete details of the request.

09:38:50.669060 eth0 < 67.166.39-62.rev.gaoland.net.3746 >
sim-01.PAR.witbe.net.domain: 34277+ PTR? 250.92.168.192.in-addr.arpa. (45)
(DF) (ttl 61, id 145)
09:38:50.669312 eth0 > sim-01.PAR.witbe.net.domain >
67.166.39-62.rev.gaoland.net.3746: 34277 NXDomain* 0/1/0 (106) (ttl 64, id
22280)
09:38:50.672336 eth0 < 67.166.39-62.rev.gaoland.net.3746 >
sim-01.PAR.witbe.net.domain: 34278+ A? bench-02.cou.zt.witbe.net. (43) (DF)
(ttl 61, id 145)
09:38:50.672998 eth0 < cms-01.PAR.witbe.net.39257 >
sim-01.PAR.witbe.net.domain: 8689+ PTR? 67.166.39.62.in-addr.arpa. (43) (DF)
(ttl 64, id 34765)
09:38:50.673026 eth0 > sim-01.PAR.witbe.net.domain >
67.166.39-62.rev.gaoland.net.3746: 34278 Refused 0/0/0 (43) (ttl 64, id
22282)
...

Regards,
Paul

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html