[dns-operations] odd nxdomain behaviour (reported on bugtraq today)

Tim Wilde twilde at dyndns.com
Thu Mar 2 05:07:22 UTC 2006

On Thu, 2 Mar 2006, Paul Vixie wrote:

> fpdns is uninformative in this case.
> fingerprint (, No match found
> anybody know more about this net or its nameservers?  they are a example of
> a disturbingly large set of similarly-behaving nameservers, and the
> implications on spoofed-source dns amplification is somewhat alarming.

I had a couple of speculations when I first saw this earlier today.  My 
first guess was maybe some kind of problem with a router/"DDoS prevention" 
device/some such on the path.  I don't know how one would verify that, 
though.  The version.bind response for this server claims it's BIND 
9.2.5, but as you pointed out, the fingerprint is inconclusive, and I 
assume Mark will chime in if this is, in fact, a known bug in older BIND 

I'd love to see a wider study of where this can be found in the wild, it 
might help nail down a pattern.  The small list of sources in the posts 
I've seen about it so far make that very difficult.  In my testing the 
responses were bit-for-bit identical, which really made me think some kind 
of problem at a layer below the application - almost like something was 
applying TCP-like retry behaviors to UDP.


Tim Wilde
twilde at dyndns.com
Systems Administrator
Dynamic Network Services, Inc.

More information about the dns-operations mailing list