[Snort-sigs] Question Alert 1948

Rich Adamson radamson at ...908...
Sat Jul 19 10:58:01 EDT 2003

> Thank you for your attention and assistance. I was reviewing the various
> snort alerts and came upon alert 1948 which confused me. It is DNS zone
> transfer UDP. According to TCP/IP Illustrated, Volume 1 The Protocols by W.
> Richard Stevens on page 206 "Zone transfers are done using TCP, since there
> is much more data to transfer than a single query or response." So I was
> wondering why the alert specified UDP? I hope you can educate me and thanks
> again for the help.

I think someone addressed this some time ago, and if memory serves, either
udp or tcp can be used for transfers. I believe the comment was something about
zone size; if a zone transfer is very small, udp is used, otherwise tcp is
used. (My memory might be less then accurate here.)

More information about the Snort-sigs mailing list