[dns-operations] odd nxdomain behaviour (reported on bugtraq today)
Gadi Evron
ge at linuxbox.org
Thu Mar 2 08:05:52 UTC 2006
Tim Wilde wrote:
> On Thu, 2 Mar 2006, Paul Vixie wrote:
>
>>fpdns is uninformative in this case.
>>
>>fingerprint (68.1.199.151, 68.1.199.151): No match found
>>
>>anybody know more about this net or its nameservers? they are a example of
>>a disturbingly large set of similarly-behaving nameservers, and the
>>implications on spoofed-source dns amplification is somewhat alarming.
>
> I had a couple of speculations when I first saw this earlier today. My
> first guess was maybe some kind of problem with a router/"DDoS prevention"
> device/some such on the path. I don't know how one would verify that,
> though. The version.bind response for this server claims it's BIND
> 9.2.5, but as you pointed out, the fingerprint is inconclusive, and I
> assume Mark will chime in if this is, in fact, a known bug in older BIND
> versions.
>
> I'd love to see a wider study of where this can be found in the wild, it
> might help nail down a pattern. The small list of sources in the posts
> I've seen about it so far make that very difficult. In my testing the
> responses were bit-for-bit identical, which really made me think some kind
> of problem at a layer below the application - almost like something was
> applying TCP-like retry behaviors to UDP.
I quite agree. A friend talked to a few people over at APRICOT about
this yesterday and they also suggested one of the possible reasons may
be they are behind load balancers.
Gadi.
More information about the dns-operations
mailing list