[nSLUG] [OT] Numerous probes seen as bogus DNS "replies"

Chris R. Thompson chris.thompson at solutioninc.com
Mon Jun 30 01:30:37 ADT 2014 

Sorry to come in late but... What were you doing? What command or filter did you use? What was the full output? What is/was your Ip?

Is your traffic natted? Are you using a vlan?

Thanks
Christopher

On Jun 28, 2014 10:51 PM, Joel Maxuel <j.maxuel at gmail.com> wrote:
>
> I would try a running a traffic analyzer (like Wireshark) and then match the latest port 53 erroI would try a running a traffic analyzer (like Wireshark) and then match the latest port 53 errors with (e.g. by IP) what the Wireshark data dump delivers.  Should provide a fuller story.



--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Sat, Jun 28, 2014 at 8:05 PM, Dan Peterson <dpiddy at gmail.com> wrote:


	If I was researching this for myself, I would look into:
	
	* IP info for both sides (is one me? who owns them? `whois 1.2.3.4`,
	`dig -x 1.2.3.4`)
	* names involved (are they things I'm likely requesting, directly or
	indirectly?)
	* am I seeing some kind of shared network traffic?
	
	Happy to help more if you want to provide more info.
	

	On Sat, Jun 28, 2014 at 2:50 PM, Mike Spencer <mspencer at tallships.ca> wrote:
	>
	> I'm seeing (with tcpdump running in an xterm behind whatever I'm
	> doing) numerous packets, variously:
	>
	>    + source port 53, reporting ServFail
	>
	>    + source port 53, reporting NXDomain
	>
	>    + ICMP reporting "udp port 53 unreachable"
	>
	> from IP addresses all over IP space. So these appear (I suppose
	> intentionally) to be replies to DNS requests that I never sent.
	>
	> Can someone explain what the object of this is (or cause, if it's a
	> side effect) or point me to an on-line explanation or discussion?
	>
	> Googling hasn't produced much, if any, enlightenment.  iptables is
	> dropping the packets but I'm curious.
	>
	>
	> - Mike
	>
	> --
	> Michael Spencer                  Nova Scotia, Canada       .~.
	>                                                            /V\
	> mspencer at tallships.ca                                     /( )\
	> http://home.tallships.ca/mspencer/                        ^^-^^
	> _______________________________________________
	> nSLUG mailing list
	> nSLUG at nslug.ns.ca
	> http://nslug.ns.ca/mailman/listinfo/nslug
	_______________________________________________
	nSLUG mailing list
	nSLUG at nslug.ns.ca
	http://nslug.ns.ca/mailman/listinfo/nslug

More information about the nSLUG mailing list