[dns-operations] odd nxdomain behaviour (reported on bugtraq today)
Tim Wilde
twilde at dyndns.com
Thu Mar 2 05:07:22 UTC 2006
On Thu, 2 Mar 2006, Paul Vixie wrote:
> fpdns is uninformative in this case.
>
> fingerprint (68.1.199.151, 68.1.199.151): No match found
>
> anybody know more about this net or its nameservers? they are a example of
> a disturbingly large set of similarly-behaving nameservers, and the
> implications on spoofed-source dns amplification is somewhat alarming.
I had a couple of speculations when I first saw this earlier today. My
first guess was maybe some kind of problem with a router/"DDoS prevention"
device/some such on the path. I don't know how one would verify that,
though. The version.bind response for this server claims it's BIND
9.2.5, but as you pointed out, the fingerprint is inconclusive, and I
assume Mark will chime in if this is, in fact, a known bug in older BIND
versions.
I'd love to see a wider study of where this can be found in the wild, it
might help nail down a pattern. The small list of sources in the posts
I've seen about it so far make that very difficult. In my testing the
responses were bit-for-bit identical, which really made me think some kind
of problem at a layer below the application - almost like something was
applying TCP-like retry behaviors to UDP.
Tim
--
Tim Wilde
twilde at dyndns.com
Systems Administrator
Dynamic Network Services, Inc.
http://www.dyndns.com/
More information about the dns-operations
mailing list