[Snort-users] Identifying dnsspoof
bk at ...1044...
Thu Jan 4 20:10:01 EST 2001
> I've never seen a legitimate standard query response with such a
> short Time to live value.
i've seen dynamic dns providers set their ttl as low as 5 seconds.
others use different values, still under a minute. here's a random
example (the ttl is 20 s).
; dnsq a quake.dyndns.com ns.dyndns.com
143 bytes, 1+2+2+2 records, response, authoritative, weird ra, noerror
query: 1 quake.dyndns.com
answer: quake.dyndns.com 20 CNAME telia.suger.dyndns.com
answer: telia.suger.dyndns.com 20 A 184.108.40.206
authority: dyndns.com 20 NS ns.dyndns.com
authority: dyndns.com 20 NS ns2.dyndns.com
additional: ns.dyndns.com 20 A 220.127.116.11
additional: ns2.dyndns.com 20 A 18.104.22.168
More information about the Snort-users