Marek Gutkowski <[EMAIL PROTECTED]> wrote:
>
> > It doesn't. snort is lying -- don't worry, it lies about a lot of other
> > things, too. Take everything snort says with a grain of salt.
> First - thanks for a quick reply.
>
> Snort is just a tool, and my previous post was about qmail, not snort :)
> Snort is not lying. You think it took the packet dump out of the blue sky?
> I also ran tcpdump and it says the same. Is tcpdump also lying?
No. There's no zone transfer happening. The worst case is Hotmail went over
the 512-byte UDP DNS response limit, and the resolver is therefore trying to
do a TCP query instead. This is not a zone transfer, but snort reports it as
such.
> Mail server really tries to connect to the DNS with tcp dport 53. It does.
> It does. I'm sure.
Hotmail's probably over the 512 byte limit, then. That doesn't make it a zone
transfer.
Charles
--
-----------------------------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/
-----------------------------------------------------------------------
