Curious DNS traffic

D

Dougga

I'm seeing strange DNS traffic from one of my windows hosts.
Specifically I have a WinXP client on a Windows domain that his
attmepting to communicate to external hosts on port 53.

Here's a single line from my firewall log:
2:08:56 Default DROP TCP 10.1.10.5:2818 → 193.0.14.129 : 53 [SYN]
len=52 ttl=127 tos=0x00 srcmac=00:09:5b:89:d2:0a
dstmac=00:13:46:e6:13:5e

The target hosts is a root server in the Netherlands so it appears
that this client is acting as a DNS Server and ignoring the local
server that it understands to be its own server. Using traditional
command line tools, it queries the local DNS server while continuing
to attempt communications externally to the root DNS servers.

Does anyone have hints as to why this would be?
I've tried the usual suspects of network protocol settings (DHCP-
defined servers and explicit definitions of DNS servers).

Thanks
 
W

Will

Do you see any unusual volumes of outgoing SMTP traffic, or possibly SMTP
originating from inappropriate hosts? If this is a hack, one reason to do
the DNS lookups on a controlled machine might be to guarantee the ability to
do MX record lookups at higher speeds for sending spam from the machine.

If the target host is controlled by the same group, then all bets are off
and you would need to look at the actual traffic. They could run telnet on
port 53 and just be trying to bypass the firewall ruleset over well known
ports.

Anyway, sounds like you have some fun debugging ahead. :)

--
Will


"Dougga" <doug.almquist@gmail.com> wrote in message
news:1192648682.292497.88830@v23g2000prn.googlegroups.com...
I'm seeing strange DNS traffic from one of my windows hosts.
Specifically I have a WinXP client on a Windows domain that his
attmepting to communicate to external hosts on port 53.

Here's a single line from my firewall log:
2:08:56 Default DROP TCP 10.1.10.5:2818 ? 193.0.14.129 : 53 [SYN]
len=52 ttl=127 tos=0x00 srcmac=00:09:5b:89:d2:0a
dstmac=00:13:46:e6:13:5e

The target hosts is a root server in the Netherlands so it appears
that this client is acting as a DNS Server and ignoring the local
server that it understands to be its own server. Using traditional
command line tools, it queries the local DNS server while continuing
to attempt communications externally to the root DNS servers.

Does anyone have hints as to why this would be?
I've tried the usual suspects of network protocol settings (DHCP-
defined servers and explicit definitions of DNS servers).

Thanks
 
You must log in or register to reply here.

Similar threads

D
DNS server - forwarder questions
Replies
0
Views
40
Danny-782
D
P
Windows could not automatically detect this networks proxy settings ( have tried everything and nothing solves this)
Replies
0
Views
312
PaulHill5
P
S
Ethernet not working, Wifi works.
Replies
0
Views
325
slj200
S
I
Desperately need help analyzing the data from my C1100T Router...
Replies
0
Views
217
Inkdchik0
I
M
Media Disconnected for LAN and Bluetooth drivers
Replies
0
Views
194
magicand1d
M
Back
Top Bottom