[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Dan Peterson dpiddy at gmail.com
Sat Jun 28 20:05:17 ADT 2014


If I was researching this for myself, I would look into:

* IP info for both sides (is one me? who owns them? `whois 1.2.3.4`,
`dig -x 1.2.3.4`)
* names involved (are they things I'm likely requesting, directly or
indirectly?)
* am I seeing some kind of shared network traffic?

Happy to help more if you want to provide more info.

On Sat, Jun 28, 2014 at 2:50 PM, Mike Spencer <mspencer at tallships.ca> wrote:
>
> I'm seeing (with tcpdump running in an xterm behind whatever I'm
> doing) numerous packets, variously:
>
>    + source port 53, reporting ServFail
>
>    + source port 53, reporting NXDomain
>
>    + ICMP reporting "udp port 53 unreachable"
>
> from IP addresses all over IP space. So these appear (I suppose
> intentionally) to be replies to DNS requests that I never sent.
>
> Can someone explain what the object of this is (or cause, if it's a
> side effect) or point me to an on-line explanation or discussion?
>
> Googling hasn't produced much, if any, enlightenment.  iptables is
> dropping the packets but I'm curious.
>
>
> - Mike
>
> --
> Michael Spencer                  Nova Scotia, Canada       .~.
>                                                            /V\
> mspencer at tallships.ca                                     /( )\
> http://home.tallships.ca/mspencer/                        ^^-^^
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug


More information about the nSLUG mailing list