• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

trying to understand DNS traffic

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
jacksmash
Just Arrived
Just Arrived


Joined: 02 Mar 2010
Posts: 0


Offline

PostPosted: Tue Mar 02, 2010 4:07 pm    Post subject: trying to understand DNS traffic Reply with quote

Hi,

I'm brand new here. I'm collecting NetFlow traffic on an ethernet tap at home. One thing I've noticed is a ton of DNS traffic. I'm wondering why this is? Is it because outside machines are constantly asking my router for DNS information?

Here is a (portion of a) log that I pulled up just from today:

Code:

            sIP|            dIP|sPort|dPort|pro|   packets|     bytes|      dur|
   A.B.C.D|    X.Y.0.94|63585|   53| 17|         1|        85|    0.035|
   A.B.C.D|    X.Y.0.95|63586|   53| 17|         1|        86|    0.034|
   A.B.C.D|    X.Y.0.94|63587|   53| 17|         1|        85|    0.031|
   A.B.C.D|    X.Y.0.95|63588|   53| 17|         1|        86|    0.029|
    X.Y.0.94|   A.B.C.D|   53|63585| 17|         1|        85|    0.000|
   A.B.C.D|    X.Y.0.94|63589|   53| 17|         1|        86|    0.030|
    X.Y.0.95|   A.B.C.D|   53|63586| 17|         1|        86|    0.000|
   A.B.C.D|    X.Y.0.95|63590|   53| 17|         1|        72|    0.028|
    X.Y.0.94|   A.B.C.D|   53|63587| 17|         1|        85|    0.000|
    X.Y.0.95|   A.B.C.D|   53|63588| 17|         1|        86|    0.000|
    X.Y.0.94|   A.B.C.D|   53|63589| 17|         1|        86|    0.000|
    X.Y.0.95|   A.B.C.D|   53|63590| 17|         1|        72|    0.000|
   A.B.C.D|    X.Y.0.94|63591|   53| 17|         2|       144|    0.028|
   A.B.C.D|    X.Y.0.95|63591|   53| 17|         1|        72|    0.017|
    X.Y.0.94|   A.B.C.D|   53|63591| 17|         2|       240|    0.011|
    X.Y.0.95|   A.B.C.D|   53|63591| 17|         1|       120|    0.000|
   A.B.C.D|    X.Y.0.95|63592|   53| 17|         1|        73|    0.022|
   A.B.C.D|    X.Y.0.94|63593|   53| 17|         1|        72|    0.025|
   A.B.C.D|    X.Y.0.95|63594|   53| 17|         1|        73|    0.028|
    X.Y.0.95|   A.B.C.D|   53|63592| 17|         1|       121|    0.000|
   A.B.C.D|    X.Y.0.94|63595|   53| 17|         1|        73|    0.029|
    X.Y.0.94|   A.B.C.D|   53|63593| 17|         1|       120|    0.000|
    X.Y.0.95|   A.B.C.D|   53|63594| 17|         1|       121|    0.000|
    X.Y.0.94|   A.B.C.D|   53|63595| 17|         1|       121|    0.000|
   A.B.C.D|    X.Y.0.95|63596|   53| 17|         1|        73|    0.012|
    X.Y.0.95|   A.B.C.D|   53|63596| 17|         1|       118|    0.000|
   A.B.C.D|    X.Y.0.94|63597|   53| 17|         1|        59|    0.011|
    X.Y.0.94|   A.B.C.D|   53|63597| 17|         1|       174|    0.000|
   A.B.C.D|    X.Y.0.95|63598|   53| 17|         1|        61|    0.030|
   A.B.C.D|    X.Y.0.94|63599|   53| 17|         1|        74|    0.033|
   A.B.C.D|    X.Y.0.94|63601|   53| 17|         1|        77|    0.028|
   A.B.C.D|    X.Y.0.95|63600|   53| 17|         1|        75|    0.028|
    X.Y.0.95|   A.B.C.D|   53|63598| 17|         1|       152|    0.000|
   A.B.C.D|    X.Y.0.95|63602|   53| 17|         1|        62|    0.026|
    X.Y.0.94|   A.B.C.D|   53|63599| 17|         1|       168|    0.000|
    X.Y.0.95|   A.B.C.D|   53|63600| 17|         1|       126|    0.000|
    X.Y.0.94|   A.B.C.D|   53|63601| 17|         1|       197|    0.000|
   A.B.C.D|    X.Y.0.94|63603|   53| 17|         1|        60|    0.027|
    X.Y.0.95|   A.B.C.D|   53|63602| 17|         1|       114|    0.000|
    X.Y.0.94|   A.B.C.D|   53|63603| 17|         1|       176|    0.000|


Note that A.B.C.D is my gateway address.

Any insights would be appreciated. Thanks.
Back to top
View user's profile Send private message
jacksmash
Just Arrived
Just Arrived


Joined: 02 Mar 2010
Posts: 0


Offline

PostPosted: Tue Mar 02, 2010 4:25 pm    Post subject: Reply with quote

By using dig on the 2 outside hosts, I realize that they are the DNS servers for my ISP. So, I guess my question is still "why so much traffic?" Also, a lot of this traffic gets flagged by Snort as an alert because it thinks there are attempted DNS spoof attacks.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register