[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?
irwin at princeton.edu
Mon Oct 10 18:25:07 GMT 2005
Our experience here matched that of Gaby Hoffmann.
The excessive DNS traffic is associated with version 6.0.667.000 of ZoneAlarm free.
------- Previous Message(s)
>Date: Tue, 27 Sep 2005 12:06:46 -0400
>From: Irwin Tillman <irwin at princeton.edu>
>To: unisog at lists.sans.org
>Subject: DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?
In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
in a pattern that I've not seen before.
Each of the affected machines is sending a two DNS lookups for every
UDP broadcast packet it hears involving NetBIOS ports 137 or 138.
E.g. if a machine (say 10.1.57.8) on network (say 10.1.0.0/16) broadcasts:
IP 10.1.57.8.137 > 10.1.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
Then each affected Window machine (say 10.1.3.4) on the same network
issues the following two lookups to the DNS server (say 192.168.1.1):
IP 10.1.3.4.3638 > 192.168.1.1.53: 2+ PTR? 22.214.171.124.in-addr.arpa.
IP 10.1.3.4.3639 > 192.168.1.1.53 2+ PTR? 255.255.1.10.in-addr.arpa.
>Date: Wed, 28 Sep 2005 09:53:50 +1000
>From: Gaby Hoffmann <gaby.Hoffmann at anu.edu.au>
>To: UNIversity Security Operations Group <unisog at lists.sans.org>
>Subject: Re: [unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?
>Reply-to: UNIversity Security Operations Group <unisog at lists.sans.org>
I've seen the same behaviour on our network by machines
running version 6.0.667.000 of ZoneAlarm free.
When the students reverted to version 5.5.094, the
excessive DNS queries stopped.
More information about the unisog