[dns-operations] odd nxdomain behaviour (reported on bugtraq today)

Gadi Evron ge at linuxbox.org
Thu Mar 2 08:05:52 UTC 2006

Tim Wilde wrote:
> On Thu, 2 Mar 2006, Paul Vixie wrote:
>>fpdns is uninformative in this case.
>>fingerprint (, No match found
>>anybody know more about this net or its nameservers?  they are a example of
>>a disturbingly large set of similarly-behaving nameservers, and the
>>implications on spoofed-source dns amplification is somewhat alarming.
> I had a couple of speculations when I first saw this earlier today.  My 
> first guess was maybe some kind of problem with a router/"DDoS prevention" 
> device/some such on the path.  I don't know how one would verify that, 
> though.  The version.bind response for this server claims it's BIND 
> 9.2.5, but as you pointed out, the fingerprint is inconclusive, and I 
> assume Mark will chime in if this is, in fact, a known bug in older BIND 
> versions.
> I'd love to see a wider study of where this can be found in the wild, it 
> might help nail down a pattern.  The small list of sources in the posts 
> I've seen about it so far make that very difficult.  In my testing the 
> responses were bit-for-bit identical, which really made me think some kind 
> of problem at a layer below the application - almost like something was 
> applying TCP-like retry behaviors to UDP.

I quite agree. A friend talked to a few people over at APRICOT about 
this yesterday and they also suggested one of the possible reasons may 
be they are behind load balancers.


More information about the dns-operations mailing list