Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 29 Jan 2000 16:02:26 +0100
From:      sthaug@nethelp.no
To:        oogali@intranova.net
Cc:        mccord@zytek.com, freebsd-security@freebsd.org
Subject:   Re: Continual DNS requests from mysterious IP
Message-ID:  <98581.949158146@verdi.nethelp.no>
In-Reply-To: Your message of "Sat, 29 Jan 2000 09:46:48 -0500 (EST)"
References:  <Pine.BSF.4.10.10001290933320.25220-100000@hydrant.intranova.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> If you understand the tcpdump output you'll see that its a query
> for the MX records of aol.com so a successful mail transfer can be
> acheived.

I doubt that's why this is happening, see below.

> This is the normal course of events:
> 
> 1) The user types the e-mail (or a program generates the e-mail)
>    and transfers it to the local mail daemon or the SMTP daemon.
> 
> 2) The mail daemon looks at the outgoing address and requests a "what
>    mailserver is authoritive for this address" record from the local
>    resolver.
> 
> 3) The local resolver forwards the request to the first available name
>    server specified from /etc/resolv.conf. (Line 1 of tcpdump)
> 
> 4) -hidden- The other nameservers forward to the root servers and traverse
>    down the path of yellow brick DNS road till it gets an answer.
> 
> 5) Our happy little nameserver runs back to the requesting resolver with
>    an answer (Line 2 of tcpdump).
> 
> Apparently, your machine is either blocking the replies, dropping them, or
> not seeing them at all, causing for the retransmits of steps 3-5. Now the
> normal course of events would continue like this:

The problem is that:

- These queries are directed to machines which have nothing to do with
aol.com (and are not authoritative name servers for aol.com).

- These queries are being repeated indefinitely.

(Yes, it's happening here too.)

Steinar Haug, Nethelp consulting, sthaug@nethelp.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98581.949158146>