[dns-operations] odd nxdomain behaviour (reported on bugtraq today)
Paul Vixie
paul at vix.com
Thu Mar 2 04:55:21 UTC 2006
here's me, asking a question of an open recursive nameserver (one of four
named on bugtraq today) which gives a proper, normal, non-nxdomain answer:
#fh:amd64# dig +bufsize=4096 @68.1.199.151 . ptr
04:47:30.314430 IP fh.65441 > 68.1.199.151.53: 21720+ [1au] PTR? . (28)
04:47:30.400760 IP 68.1.199.151.53 > fh.65441: 21720 0/1/1 (103)
here's me asking for something that generates an nxdomain answer:
#fh:amd64# dig +bufsize=4096 @68.1.199.151 bugtraq a
04:47:49.022601 IP fh.50201 > 68.1.199.151.53: 34198+ [1au] A? bugtraq. (36)
04:47:49.149182 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:49.163523 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:49.163548 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:49.167181 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:49.167196 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.111413 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:52.111445 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.123260 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:52.123276 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:52.159390 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:52.159408 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.113114 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:55.113141 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.127450 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:55.127468 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:55.153487 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:55.153506 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.113538 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:58.113562 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.126117 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:58.126132 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
04:47:58.150985 IP 68.1.199.151.53 > fh.50201: 34198 NXDomain 0/1/1 (111)
04:47:58.151003 IP fh > 68.1.199.151: icmp 36: fh udp port 50201 unreachable
fpdns is uninformative in this case.
fingerprint (68.1.199.151, 68.1.199.151): No match found
anybody know more about this net or its nameservers? they are a example of
a disturbingly large set of similarly-behaving nameservers, and the
implications on spoofed-source dns amplification is somewhat alarming.
More information about the dns-operations
mailing list