[Dshield] Can you pros take a look?

Don Wilder Don at TheWilders.Org
Sun Jul 22 13:48:09 GMT 2001

> Mark Rowlands on Saturday, July 21, 2001 5:02 PM espoused:
> On Saturday 21 July 2001 18:30, Don Wilder wrote:
> > Paul,
> >
> > There are 2 plausible explanations:
> >
> > 1. Someone is trying to lookup DNS information using your IP
> address. The
> > UDP 53 part indicates that it is a DNS lookup as apposed to a
> TCP 53 which
> > is the old DNS Zone transfer request.
> I thought that TCP is also used for very large responses and is
> still used
> for  zone transfer....has this changed?
No, the new versions of Bind (8.x & 9.x) can be set to do zone transfers via
other ports... Port 53 is just the default...

Shamelessly snipped from the Bind 9 Administrators Guide available from
http://www.isc.org/products/BIND/bind9.html and

The UDP/TCP port number the server uses for
receiving and sending DNS protocol traffic. The
default is 53. This option is mainly intended for
server testing; a server using a port other than 53
will not be able to communicate with the global
DNS. The port option should be placed at the
beginning of the options block, before any other
options that take port numbers or IP addresses, to
ensure that the port value takes effect for all
addresses used by the server.

A slave zone is a replica of a master zone. The masters list
specifies one or more IP addresses that the slave contacts to update
its copy of the zone. By default, transfers are made from port 53 on
the servers; this can be changed for all servers by specifying a port
number before the list of IP addresses, or on a per-server basis after
the IP address. If a port is specified, the slave then checks to see if
the zone is current and zone transfers will be done to the port

More information about the list mailing list