>
> I remember that nslookup() function of NT kernel
> uses netbios if DNS doesnt reply anything
> (correct me if i'm wrong).
>
This is roughly it (I cannot swear to the implementation details, only
the real world results). Just one of my mailservers have generated
1824 blocked outbound requests to port 137 so far today. A cursory
check shows that they are going to hosts with no reverse dns records.
When there are none, windows will issue a direct netbios name query.
A nbtstat -A x.x.x.x creates the same results - issue a direct netbios
name query to the remote host.
I don't have a pure IIS machine handy to confirm if it is the IIS
reverse logging setting that is specifically generating those name
resolution packets, but my logs indicate that my www log crunching
correlates highly with the generation of such packets - every hour
something calls the windows name resolution API, and it cycles through
the various methods, generating them.
> I remember that nslookup() function of NT kernel
> uses netbios if DNS doesnt reply anything
> (correct me if i'm wrong).
>
This is roughly it (I cannot swear to the implementation details, only
the real world results). Just one of my mailservers have generated
1824 blocked outbound requests to port 137 so far today. A cursory
check shows that they are going to hosts with no reverse dns records.
When there are none, windows will issue a direct netbios name query.
A nbtstat -A x.x.x.x creates the same results - issue a direct netbios
name query to the remote host.
I don't have a pure IIS machine handy to confirm if it is the IIS
reverse logging setting that is specifically generating those name
resolution packets, but my logs indicate that my www log crunching
correlates highly with the generation of such packets - every hour
something calls the windows name resolution API, and it cycles through
the various methods, generating them.
Matt Ostiguy
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]