topic Re: HTTP GET Request on port 53 in OpenDNS

HTTP GET Request on port 53

mparp — Tue, 06 Jun 2017 16:21:24 GMT

Hello,

I have a question. In my network I have IDS systems and some connection to 208.67.222.222 blocked because they are destined to TCP port 53 but connection is HTTP.

For example (HTTP header from PCAP):

GET /getadmarker2.png HTTP/1.1

Host: choices.truste.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Accept: image/webp,image/*,*/*;q=0.8

Referer: http://www.webmd.com/skin-problems-and-treatments/news/20110204/faq-pesky-rashes-from-plants

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Can you explain me what is going on, why I see HTTP connections by port 53 (which is DNS originally) destined to OpenDNS (Umbrella) server 208.67.222.222

What technology, service, feature behind this connection. It looks legitimate but I want to know what is going on and if it is legit traffic I should add an negation in my signatures

Best Regards

Max

Re: HTTP GET Request on port 53

rotblitz — Tue, 06 Jun 2017 19:45:41 GMT

"why I see HTTP connections by port 53 (which is DNS originally) destined to OpenDNS (Umbrella) server 208.67.222.222 "

Sorry, dude, I do not see this from your PCAP HTTP header. No HTTP port 53 mentioned, all goes via port 80.

Pretty clear that you might see also DNS traffic over port 53 (UDP, maybe TCP) to 208.67.222.222 at the same time, or better milliseconds before, because this domain choices.truste.com needs to be resolved, of course.

Re: HTTP GET Request on port 53

mparp — Tue, 06 Jun 2017 20:44:41 GMT

As we can see destination host is 208.67.222.222 and destination port is TCP 53 but we see HTTP

Re: HTTP GET Request on port 53

rotblitz — Wed, 07 Jun 2017 06:56:53 GMT

Sorry, still not seeing HTTP and 53. 😞

Re: HTTP GET Request on port 53

mparp — Wed, 07 Jun 2017 12:42:57 GMT

🙂 Red text this is follow TCP session from Wire Shark

First picture (background)

Source IP 10.7.2.33

Destination IP 208.67.222.222 (resolver1.opendns.com)

Source Port 55389

Destination Port 53

Second picture (where red string we see)

Right click and chose follow TCp session and we get HTTP format

GET - URI request

Host - destination host

User agent - mac OS browser

refer

and so on

Regards,

Max

Re: HTTP GET Request on port 53

rotblitz — Wed, 07 Jun 2017 13:26:55 GMT

"First picture (background)"

This is the DNS query to OpenDNS. I can see also the DNS response.

"Second picture (where red string we see)"

Yes, fine, this is the HTTP GET request. I do not see the "Dst Port" on the picture in the background, because it is outside. But I bet this is port 80, not 53. And even if it displayed 53, this is nonsense and would not work. You would not be able to visit http://choices.truste.com/getadmarker2.png - It may be a glitch with PCAP, but is not reality.

Also, resolver1.opendns.com does not and cannot handle HTTP traffic on port 53 (or 80).
Try it out: http://resolver1.opendns.com:53/

Back to your question "What technology, service, feature behind this connection":

The "feature" is a bug in PCAP. Try with another sniffer. 😉

Re: HTTP GET Request on port 53

mparp — Wed, 07 Jun 2017 13:58:39 GMT

rotblitz, Looks like I do not understand you.

Picture 1: Full PCAP

Pic -2 follow TCP stream for Pic -1

Picture 3 result from follow TCP sream for Pic - 1

That is all what I have 🙂

Re: HTTP GET Request on port 53

mparp — Wed, 07 Jun 2017 14:02:04 GMT

May be BUG, will investigate this

Re: HTTP GET Request on port 53

rotblitz — Wed, 07 Jun 2017 16:12:55 GMT

Yes, now it's clearer. Wireshark seems to pick the wrong thing from "Follow -> TCP Stream". This is not the details from the normal DNS traffic you're showing in the background which is clearly not HTTP, but DNS. Maybe this is also intentional, no idea what they would do with this. At least it was good enough to confuse you.