[Snort-users] Identifying dnsspoof

Brian Kifiak bk at ...1044...
Thu Jan 4 20:10:01 EST 2001

> I've never seen a legitimate standard query response with such a
> short Time to live value.

i've seen dynamic dns providers set their ttl as low as 5 seconds.

others use different values, still under a minute.  here's a random
example (the ttl is 20 s).

; dnsq a quake.dyndns.com ns.dyndns.com
1 quake.dyndns.com:
143 bytes, 1+2+2+2 records, response, authoritative, weird ra, noerror
query: 1 quake.dyndns.com
answer: quake.dyndns.com 20 CNAME telia.suger.dyndns.com
answer: telia.suger.dyndns.com 20 A
authority: dyndns.com 20 NS ns.dyndns.com
authority: dyndns.com 20 NS ns2.dyndns.com
additional: ns.dyndns.com 20 A
additional: ns2.dyndns.com 20 A

More information about the Snort-users mailing list