[dns-operations] Abnormal activity fron chinanet?

[Chris Adams]

Once upon a time, Stephane Bortzmeyer <bortzmeyer at nic.fr> said:
> On Fri, Dec 02, 2011 at 11:05:26AM -0600,
>  Chris Adams <cmadams at hiwaay.net> wrote 
>  a message of 30 lines which said:
> 
> > FYI: here's a pcap filter that will match only UDP DNS ANY queries:
> 
> No, only if no EDNS is used in the query (and, in actual attacks, it
> is sometimes used, to get a better amplification). 

Hmm, I guess I haven't seen any of those (or enough to be a problem).
It also doesn't handle TCP requests, but since the source is apparently
spoofed, that shouldn't be an issue.

> > udp and dst port 53 and udp[10]&0xf8=0 and udp[12:4]=65536 and udp[16:4]=0 and udp[udp[4:2]-3]=255
> 
> Counting from the end of the packet is a clever idea (to avoid parsing
> the QNAME) but it fails if there is an additionnal record. I assume
> this is why you test ARCOUNT=0 but it makes the filter too
> restrictive.

It has been a "good enough" solution so far for me.

Is it legal to have additional records in a query?  Shouldn't ARCOUNT=0
in all queries?
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.