That is exactly what I am trying to figure out. What is the meaning
of '[1au][|domain]'. 56162 is the DNS transaction ID. When a DNS server
makes a request a number is tagged to it, that way when the reply comes
back it can match it up with the request. I just don't know what the meaning
of 1au is.

vjl

-----Original Message-----
From: Valdis.Kletnieksvt.edu [mailto:Valdis.Kletnieksvt.edu]
Sent: Thursday, December 12, 2002 12:18 PM
To: larosa, vjay
Cc: incidentssecurityfocus.com
Subject: Re: DNS help

On Wed, 11 Dec 2002 16:09:49 EST, "larosa, vjay" <larosa_vjayemc.com>
said:
> Hello,
>
> These packets were caught using a shadow IDS sensor. I was hoping that
> somebody
> in the list could help me understand what is happening below. I am
familiar
> with snort
> and tcpdump, as well as the concept of packet fragmentation. I am mostly
> interested in
> finding out about the DNS requests being made, and why they are coming
back
> fragmented.

Given that they fragged at 1480, I'd suspect you're going through a VPN
at some point. You're going to their nameserver to look something up
and the replies are gettng fragged on the way.

Is your DNS server a secondary for a zone hosted at outside.guy.com? This
looks like it might be AXFR traffic. It's hard to tell without knowing what
IDS produced the log entries - if I knew what '56162 [1au][|domain]' meant
I could tell you more.

> 12:15:24.020319 DNS.server.com.33795 > outside.guy.com.domain: 56162
> [1au][|domain] (DF)

> 12:15:24.170988 outside.guy.com.domain > DNS.server.com.33795:
> 56162[|domain] (frag 48818:14800+)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]