[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?

Gaby Hoffmann gaby.Hoffmann at anu.edu.au
Tue Sep 27 23:53:50 GMT 2005


I've seen the same behaviour on our network by machines
running version 6.0.667.000 of ZoneAlarm free.
When the students reverted to version 5.5.094, the
excessive DNS queries stopped.

Gaby

Irwin Tillman wrote:
> In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
> in a pattern that I've not seen before.  
> 
> Because the affected machine are almost entirely student machines,
> I thought I checked with unisog folks to see if they've seen the
> pattern before.
> 
> 
> Each of the affected machines is sending a two DNS lookups for every 
> UDP broadcast packet it hears involving NetBIOS ports 137 or 138.
> 
> E.g. if a machine (say 10.1.57.8) on network (say 10.1.0.0/16) broadcasts:
> 
>     IP 10.1.57.8.137 > 10.1.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> 
> Then each affected Window machine (say 10.1.3.4) on the same network
> issues the following two lookups to the DNS server (say 192.168.1.1):
> 
>    IP 10.1.3.4.3638 > 192.168.1.1.53: 2+ PTR? 8.57.1.10.in-addr.arpa.
>    IP 10.1.3.4.3639 > 192.168.1.1.53  2+ PTR? 255.255.1.10.in-addr.arpa.
> 
-- 
___________________________________________________________________________
Gaby Hoffmann                       E-Mail : Gaby.Hoffmann at anu.edu.au
ANU IT Security, DOI                Phone : (02) 6125 3264 Mob:0410 348 254
Leonard Huxley Building #56         Fax   : (02) 6125 8199 internal:58199
Australian National University      Canberra, ACT 0200


More information about the unisog mailing list