Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kutulu (kutulukutulu.org)
Date: Thu Sep 27 2001 - 17:19:36 CDT
At 01:44 PM 09/27/2001 -0400, Mike Wilson wrote:
>A normal operating system DNS query would use an unprivileged source port (
> >1024) to make the DNS request. I would concur that this type of traffic
Or else, it would use port 53. Since DNS servers reply to the same port
the request came in on, recursed queries (server <-> server) would be
sourced on port 53, so the reply would go back that way. My snort logs
certainly show hundreds of port 53 -> port 53 UDP packets to my DNS server
from remote DNS servers, and they all get logged because the snort rule is
just what you specified: source port 0:1023, destination port 53.
Nonetheless, you are absolutely correct that source-port 69 is highly
unusual. It's also a rather sneaky way to portscan a DNS server for open
UDP ports. Guess I should put the above-mentioned noisy snort rule back.