[Snort-users] MISC source port 53

Blake Frantz blake at ...319...
Mon Apr 9 12:32:29 EDT 2001



Forwarding/Caching DNS servers use source port 53 for peer-to-peer
communications.

For example, the traffic would look like this:

DNS_Client sends a UPD lookup request to Caching_or_Forwarding_DNS_Server:

UDP DNS_Client:1423 -> Caching_or_Forwarding_DNS_Server:53

If their is a cache miss or the server doesn't have the answer,
Caching_or_Forwarding_DNS_Server forwards the request to
Remote_or_Authority_DNS_Server:
	
UDP Caching_or_Forwarding_DNS_Server:53 -> Remote_or_Authority_DNS_Server:53 

...

Hope this helps.

Blake

================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Mon, 9 Apr 2001, Jason Haar wrote:

> I'm starting to see a lot of "MISC source port 53 to <1023" hits. I think
> it's due to the rules update I did last week, but I think it's causing heaps
> of false positives.
> 
> I sniffed out a few - here's what tcpdump reports:
> 
> 14:00:28.890720 12.26.84.131.53 > 203.167.239.194.53:  39188 A?
> trimble.co.nz. (31) (DF)
> 14:00:28.892319 203.167.239.194.53 > 12.26.84.131.53:  39188* 0/1/0 (84)
> 14:00:47.116723 198.186.203.85.53 > 203.167.239.194.53:  18947 MX?
> trimble.co.nz. (31)
> 14:00:47.118779 203.167.239.194.53 > 198.186.203.85.53:  18947* 1/3/3 MX
> hades.trimble.co.nz. 10 (163)
> 14:03:16.556402 202.101.38.219.53 > 203.167.239.194.53:  2382 A?
> trimble.co.nz. (31) (DF)
> 14:03:16.557736 203.167.239.194.53 > 202.101.38.219.53:  2382* 0/1/0 (84)
> 
> 
> Looks to me like a DNS server looking up our NS, then doing a MX record
> lookup. Nothing suspicious about that except that it's UDP source port is 53
> instead of > 1023. 
> 
> Looking these addresses up has so far returned either DNS or SMTP servers -
> which sort-a follows :-) Strangly enough, the SMTP servers have all been
> Unix ones - which sort of implies the DNS servers will also be Unix. So what
> DNS server uses port 53 for sending standard DNS queries?
> 
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list