[dns-operations] odd nxdomain behaviour (reported on bugtraq today)

Paul Vixie paul at vix.com
Thu Mar 2 04:55:21 UTC 2006 

here's me, asking a question of an open recursive nameserver (one of four
named on bugtraq today) which gives a proper, normal, non-nxdomain answer:

#fh:amd64# dig +bufsize=4096 @68.1.199.151 . ptr

04:47:30.314430 IP fh.65441 > 68.1.199.151.53:  21720+ [1au] PTR? . (28)
04:47:30.400760 IP 68.1.199.151.53 > fh.65441:  21720 0/1/1 (103)

here's me asking for something that generates an nxdomain answer:

#fh:amd64# dig +bufsize=4096 @68.1.199.151 bugtraq a

04:47:49.022601 IP fh.50201 > 68.1.199.151.53:  34198+ [1au] A? bugtraq. (36)
04:47:49.149182 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:49.163523 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:49.163548 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:49.167181 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:49.167196 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.111413 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:52.111445 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.123260 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:52.123276 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.159390 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:52.159408 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.113114 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:55.113141 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.127450 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:55.127468 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.153487 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:55.153506 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.113538 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:58.113562 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.126117 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:58.126132 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.150985 IP 68.1.199.151.53 > fh.50201:  34198 NXDomain 0/1/1 (111)
04:47:58.151003 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable

fpdns is uninformative in this case.

fingerprint (68.1.199.151, 68.1.199.151): No match found

anybody know more about this net or its nameservers?  they are a example of
a disturbingly large set of similarly-behaving nameservers, and the
implications on spoofed-source dns amplification is somewhat alarming.

More information about the dns-operations mailing list