[dns-operations] DNS replies from AS 4808

James Raftery james at now.ie
Wed Jun 3 22:45:18 UTC 2009


On 3 Jun 2009, at 18:34, Duane Wessels wrote:
> It looks to me
> like queries (rather than responses) are being intercepted.

Not so sure. I was seeing replies to MX and AAAA queries containing A  
RDATA, despite the type field in the answer section RR still being MX  
or AAAA. Pkt dissection below.


james
-- 
Time flies like an arrow. Fruit flies like bananas.


=== Start packet: Revision: 1.40 =======================================
Discarding Layer 2 header (DLT_EN10MB):
00123fcc6e5c00120166478c0800

Discarding IPv4/UDP header:
4510007476d60000311178e97b7d32f6c0a82a8e0035f26700603691

Analyzing DNS packet (88 octets):
243185800001000100000000077477697474657203636f6d056d756c746905737572626c036f726700001c0001077477697474657203636f6d056d756c746905737572626c036f726700001c0001000151800004d35e4293
========================================================================
Reading Header section
Starting to read the header
read 2 octets (0x2431) starting at octet 0
ID is 0x2431 (decimal 9265)
read 2 octets (0x8580) starting at octet 2
Flags are 0x8580 (decimal 34176)
   QR is set - response
   Opcode is 0 (QUERY)
   AA is set
   TC is unset
   RD is set
   RA is set
    Z is unset
   AD is unset
   CD is unset
   Rcode is 0 (NOERROR)
read 2 octets (0x0001) starting at octet 4
Number of question RRs (QDCOUNT) is 0x0001 (decimal 1)
read 2 octets (0x0001) starting at octet 6
Number of answer RRs (ANCOUNT) is 0x0001 (decimal 1)
read 2 octets (0x0000) starting at octet 8
Number of authority RRs (NSCOUNT) is 0x0000 (decimal 0)
read 2 octets (0x0000) starting at octet 10
Number of additional RRs (ARCOUNT) is 0x0000 (decimal 0)
========================================================================
Reading Question section (QDCOUNT is 1)
Starting to read a question
Starting to read a domain name
read 1 octets (0x07) starting at octet 12
Length of next label is 0x07 (decimal 7) octets
read 1 octets (0x74) starting at octet 13
Octet 1/7 is: t
read 1 octets (0x77) starting at octet 14
Octet 2/7 is: w
read 1 octets (0x69) starting at octet 15
Octet 3/7 is: i
read 1 octets (0x74) starting at octet 16
Octet 4/7 is: t
read 1 octets (0x74) starting at octet 17
Octet 5/7 is: t
read 1 octets (0x65) starting at octet 18
Octet 6/7 is: e
read 1 octets (0x72) starting at octet 19
Octet 7/7 is: r
Label is 'twitter'
Name so far is: twitter
read 1 octets (0x03) starting at octet 20
Length of next label is 0x03 (decimal 3) octets
read 1 octets (0x63) starting at octet 21
Octet 1/3 is: c
read 1 octets (0x6f) starting at octet 22
Octet 2/3 is: o
read 1 octets (0x6d) starting at octet 23
Octet 3/3 is: m
Label is 'com'
Name so far is: twitter.com
read 1 octets (0x05) starting at octet 24
Length of next label is 0x05 (decimal 5) octets
read 1 octets (0x6d) starting at octet 25
Octet 1/5 is: m
read 1 octets (0x75) starting at octet 26
Octet 2/5 is: u
read 1 octets (0x6c) starting at octet 27
Octet 3/5 is: l
read 1 octets (0x74) starting at octet 28
Octet 4/5 is: t
read 1 octets (0x69) starting at octet 29
Octet 5/5 is: i
Label is 'multi'
Name so far is: twitter.com.multi
read 1 octets (0x05) starting at octet 30
Length of next label is 0x05 (decimal 5) octets
read 1 octets (0x73) starting at octet 31
Octet 1/5 is: s
read 1 octets (0x75) starting at octet 32
Octet 2/5 is: u
read 1 octets (0x72) starting at octet 33
Octet 3/5 is: r
read 1 octets (0x62) starting at octet 34
Octet 4/5 is: b
read 1 octets (0x6c) starting at octet 35
Octet 5/5 is: l
Label is 'surbl'
Name so far is: twitter.com.multi.surbl
read 1 octets (0x03) starting at octet 36
Length of next label is 0x03 (decimal 3) octets
read 1 octets (0x6f) starting at octet 37
Octet 1/3 is: o
read 1 octets (0x72) starting at octet 38
Octet 2/3 is: r
read 1 octets (0x67) starting at octet 39
Octet 3/3 is: g
Label is 'org'
Name so far is: twitter.com.multi.surbl.org
read 1 octets (0x00) starting at octet 40
Zero octet, end of name, append root label
This name is 'twitter.com.multi.surbl.org.'
QNAME is: twitter.com.multi.surbl.org.
read 2 octets (0x001c) starting at octet 41
QTYPE is 0x001c (AAAA / decimal 28)
read 2 octets (0x0001) starting at octet 43
QCLASS is 0x0001 (IN / decimal 1)

twitter.com.multi.surbl.org.    IN      AAAA

========================================================================
Reading Answer section (ANCOUNT is 1)
Starting to read an RR
Starting to read a domain name
read 1 octets (0x07) starting at octet 45
Length of next label is 0x07 (decimal 7) octets
read 1 octets (0x74) starting at octet 46
Octet 1/7 is: t
read 1 octets (0x77) starting at octet 47
Octet 2/7 is: w
read 1 octets (0x69) starting at octet 48
Octet 3/7 is: i
read 1 octets (0x74) starting at octet 49
Octet 4/7 is: t
read 1 octets (0x74) starting at octet 50
Octet 5/7 is: t
read 1 octets (0x65) starting at octet 51
Octet 6/7 is: e
read 1 octets (0x72) starting at octet 52
Octet 7/7 is: r
Label is 'twitter'
Name so far is: twitter
read 1 octets (0x03) starting at octet 53
Length of next label is 0x03 (decimal 3) octets
read 1 octets (0x63) starting at octet 54
Octet 1/3 is: c
read 1 octets (0x6f) starting at octet 55
Octet 2/3 is: o
read 1 octets (0x6d) starting at octet 56
Octet 3/3 is: m
Label is 'com'
Name so far is: twitter.com
read 1 octets (0x05) starting at octet 57
Length of next label is 0x05 (decimal 5) octets
read 1 octets (0x6d) starting at octet 58
Octet 1/5 is: m
read 1 octets (0x75) starting at octet 59
Octet 2/5 is: u
read 1 octets (0x6c) starting at octet 60
Octet 3/5 is: l
read 1 octets (0x74) starting at octet 61
Octet 4/5 is: t
read 1 octets (0x69) starting at octet 62
Octet 5/5 is: i
Label is 'multi'
Name so far is: twitter.com.multi
read 1 octets (0x05) starting at octet 63
Length of next label is 0x05 (decimal 5) octets
read 1 octets (0x73) starting at octet 64
Octet 1/5 is: s
read 1 octets (0x75) starting at octet 65
Octet 2/5 is: u
read 1 octets (0x72) starting at octet 66
Octet 3/5 is: r
read 1 octets (0x62) starting at octet 67
Octet 4/5 is: b
read 1 octets (0x6c) starting at octet 68
Octet 5/5 is: l
Label is 'surbl'
Name so far is: twitter.com.multi.surbl
read 1 octets (0x03) starting at octet 69
Length of next label is 0x03 (decimal 3) octets
read 1 octets (0x6f) starting at octet 70
Octet 1/3 is: o
read 1 octets (0x72) starting at octet 71
Octet 2/3 is: r
read 1 octets (0x67) starting at octet 72
Octet 3/3 is: g
Label is 'org'
Name so far is: twitter.com.multi.surbl.org
read 1 octets (0x00) starting at octet 73
Zero octet, end of name, append root label
This name is 'twitter.com.multi.surbl.org.'
NAME is: twitter.com.multi.surbl.org.
read 2 octets (0x001c) starting at octet 74
TYPE is 0x001c (AAAA / decimal 28)
read 2 octets (0x0001) starting at octet 76
CLASS is 0x0001 (IN / decimal 1)
read 4 octets (0x00015180) starting at octet 78
TTL is 0x00015180 (decimal 86400)
read 2 octets (0x0004) starting at octet 82
RDLENGTH is 0x0004 (decimal 4) octets
peek 4 octets starting at octet 84
RDATA is 0xd35e4293
Starting to read AAAA RR RDATA
BAD - RDLENGTH wasn't 16!
read 4 octets (0xd35e4293) starting at octet 84

twitter.com.multi.surbl.org. 86400      IN      AAAA    d35e:4293::::::

========================================================================
Reading Authority section (NSCOUNT is 0)
========================================================================
Reading Additional section (ARCOUNT is 0)
=== End packet =========================================================



More information about the dns-operations mailing list