[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Joel Maxuel j.maxuel at gmail.com
Sat Jun 28 22:45:11 ADT 2014


I would try a running a traffic analyzer (like Wireshark) and then match
the latest port 53 errors with (e.g. by IP) what the Wireshark data dump
delivers.  Should provide a fuller story.


--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Sat, Jun 28, 2014 at 8:05 PM, Dan Peterson <dpiddy at gmail.com> wrote:

> If I was researching this for myself, I would look into:
>
> * IP info for both sides (is one me? who owns them? `whois 1.2.3.4`,
> `dig -x 1.2.3.4`)
> * names involved (are they things I'm likely requesting, directly or
> indirectly?)
> * am I seeing some kind of shared network traffic?
>
> Happy to help more if you want to provide more info.
>
> On Sat, Jun 28, 2014 at 2:50 PM, Mike Spencer <mspencer at tallships.ca>
> wrote:
> >
> > I'm seeing (with tcpdump running in an xterm behind whatever I'm
> > doing) numerous packets, variously:
> >
> >    + source port 53, reporting ServFail
> >
> >    + source port 53, reporting NXDomain
> >
> >    + ICMP reporting "udp port 53 unreachable"
> >
> > from IP addresses all over IP space. So these appear (I suppose
> > intentionally) to be replies to DNS requests that I never sent.
> >
> > Can someone explain what the object of this is (or cause, if it's a
> > side effect) or point me to an on-line explanation or discussion?
> >
> > Googling hasn't produced much, if any, enlightenment.  iptables is
> > dropping the packets but I'm curious.
> >
> >
> > - Mike
> >
> > --
> > Michael Spencer                  Nova Scotia, Canada       .~.
> >                                                            /V\
> > mspencer at tallships.ca                                     /( )\
> > http://home.tallships.ca/mspencer/                        ^^-^^
> > _______________________________________________
> > nSLUG mailing list
> > nSLUG at nslug.ns.ca
> > http://nslug.ns.ca/mailman/listinfo/nslug
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20140628/2e4c9d40/attachment.html>


More information about the nSLUG mailing list