[dns-operations] odd nxdomain behaviour (reported on bugtraq today)

[Mark Andrews]

> On Thu, 2 Mar 2006, Paul Vixie wrote:
> 
> > fpdns is uninformative in this case.
> >
> > fingerprint (68.1.199.151, 68.1.199.151): No match found
> >
> > anybody know more about this net or its nameservers?  they are a example of
> > a disturbingly large set of similarly-behaving nameservers, and the
> > implications on spoofed-source dns amplification is somewhat alarming.
> 
> I had a couple of speculations when I first saw this earlier today.  My 
> first guess was maybe some kind of problem with a router/"DDoS prevention" 
> device/some such on the path.  I don't know how one would verify that, 
> though.  The version.bind response for this server claims it's BIND 
> 9.2.5, but as you pointed out, the fingerprint is inconclusive, and I 
> assume Mark will chime in if this is, in fact, a known bug in older BIND 
> versions.

	Not as far as I am aware.
 
> I'd love to see a wider study of where this can be found in the wild, it 
> might help nail down a pattern.  The small list of sources in the posts 
> I've seen about it so far make that very difficult.  In my testing the 
> responses were bit-for-bit identical, which really made me think some kind 
> of problem at a layer below the application - almost like something was 
> applying TCP-like retry behaviors to UDP.

	With Paul's source the ip id varies per / packet so it is unlikely
	to be replication at the ip level.  The rest of the packet other
	than the checksums won't vary and I wouldn't expect them to vary.
 
> Tim
> 
> -- 
> Tim Wilde
> twilde at dyndns.com
> Systems Administrator
> Dynamic Network Services, Inc.
> http://www.dyndns.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org