[Dshield] Help: DNS (53)

Alan Frayer afrayer at frayernet.com
Fri Jan 2 01:49:03 GMT 2004

On Thu, 2004-01-01 at 18:27, Chris Brenton wrote:

> On Thu, 2004-01-01 at 11:30, Alan Frayer wrote:
> >
> > Okay, I've been trying to follow this thread with some interest because
> > I've been getting hit with UDP 53 packets for the last month at one or
> > two of my IPs.
> Are the IPs:
> a name server used by internal clients?
> a many to one NAT IP with a name server behind it?
> If not, you might be looking at something different.

Thank you for replying, Chris. The target IPs are ISP-provided public
IPs into private networks that are connected together through VPNs. None
of the private networks hold a DNS, and the only names they've been
given are NetBIOS names (which I do not believe would apply here); they
all exist within a simple NT domain.

I would have to answer no to both questions, so I'm probably right in
rejecting the 53/UDP packets.

> If you meet one or both of the above conditions, it could be load
> balancing. If not, it could be malicious. Check the source IP and see if
> its part of an address space or domain that you have recently queried.
> If you can spot a pattern (like it always comes from the same source IP
> but only during microsoft.com related queries), you are probably OK. If
> not, again, it might be malicious.

One thing I've not done was look to see if the source addresses resolve
to a browsable location. I'll have to check that.

> Or.... there are fewer people at _your_ site during those times
> generating outbound queries that are causing this possible load balancer
> to check performance metrics back to your site.

Certainly never occurred to me, but since I don't have a name server
behind the IP, this isn't likely, right?


Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com 
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org 

More information about the list mailing list