From dwormuth at post.harvard.edu  Mon Sep  7 12:47:40 2009
From: dwormuth at post.harvard.edu (David Wormuth)
Date: Mon, 07 Sep 2009 08:47:40 -0400
Subject: [dnstop] Source in Query
Message-ID: <4AA500EC.1010007@post.harvard.edu>

I figured out what the period means in the Query Name. I configured my 
iptables to drop those queries, but dnstop is still showing them. Is 
that because dnstop is inspecting raw packets and not showing me what 
the actual nameserver is receiving?

(Clearly I'm new to dnstop)

-- 

David W. Wormuth
6781 Morehouse Flats Road
Jamesville, NY 13078
dwormuth at post.harvard.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.measurement-factory.com/pipermail/dnstop/attachments/20090907/4e61da14/attachment.html>

From dwormuth at post.harvard.edu  Sun Sep  6 18:21:10 2009
From: dwormuth at post.harvard.edu (David Wormuth)
Date: Sun, 06 Sep 2009 14:21:10 -0400
Subject: [dnstop] Query name
Message-ID: <4AA3FD96.90800@post.harvard.edu>

What does the "." for the query name mean?

-- 

David W. Wormuth
6781 Morehouse Flats Road
Jamesville, NY 13078
dwormuth at post.harvard.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.measurement-factory.com/pipermail/dnstop/attachments/20090906/d3d04e13/attachment.html>

From wessels at measurement-factory.com  Tue Sep  8 16:21:34 2009
From: wessels at measurement-factory.com (Duane Wessels)
Date: Tue, 8 Sep 2009 10:21:34 -0600 (MDT)
Subject: [dnstop] Source in Query
In-Reply-To: <4AA500EC.1010007@post.harvard.edu>
References: <4AA500EC.1010007@post.harvard.edu>
Message-ID: <alpine.BSF.2.00.0909081021010.71405@measurement-factory.com>




On Mon, 7 Sep 2009, David Wormuth wrote:

> I figured out what the period means in the Query Name. I configured my iptables to drop those queries, but dnstop is still showing
> them. Is that because dnstop is inspecting raw packets and not showing me what the actual nameserver is receiving?

Hi David,

You are correct.  dnstop is seeing the packets hitting your network
interface before they get dropped by iptables.

Duane W.


From Sam at ChangeIP.com  Tue Sep  8 16:28:58 2009
From: Sam at ChangeIP.com (Sam Norris)
Date: Tue, 8 Sep 2009 09:28:58 -0700
Subject: [dnstop] Query name
References: <4AA3FD96.90800@post.harvard.edu>
Message-ID: <06D36630B1D645A69DD8B74BF2DCC154@changeip.com>

> ----- Original Message ----- 
> From: "David Wormuth" <dwormuth at post.harvard.edu>
> What does the "." for the query name mean?

It's a query for the root.  Most of the time when I would see those was 
because of a backscatter attack (authoritative dns only).

Sam 



From jose at monkey.org  Tue Sep  8 18:53:42 2009
From: jose at monkey.org (Jose Nazario)
Date: Tue, 8 Sep 2009 14:53:42 -0400 (EDT)
Subject: [dnstop] Query name
In-Reply-To: <4AA3FD96.90800@post.harvard.edu>
References: <4AA3FD96.90800@post.harvard.edu>
Message-ID: <alpine.DEB.1.10.0909081452350.983@l.monkey.org>

On Sun, 6 Sep 2009, David Wormuth wrote:

> What does the "." for the query name mean?

query for the dns root. e.g. you'll get back a list of the authoritative 
root name servers (e.g. A.ROOT-SERVERS.NET., B.ROOT-SERVERS.NET., etc)

________
jose nazario, ph.d.		    http://monkey.org/~jose/