[dns-operations] Abnormal activity fron chinanet?

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Apr 4 13:38:24 UTC 2012

On Wed, Apr 04, 2012 at 08:31:02AM -0500,
 Chris Adams <cmadams at hiwaay.net> wrote 
 a message of 29 lines which said:

> Is it legal to have additional records in a query? 

Yes, with EDNS0, there is always a pseudo-RR in the additional section
(70 % of all queries going to .FR name servers).

As seen by Wireshark in a recent attack :

    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
        ripe.net: type ANY, class IN
            Name: REDACTED.example
            Type: ANY (Request for all records)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (EDNS0 option)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x0
            EDNS0 version: 0
            Z: 0x8000
                Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
                Bits 1-15: 0x0 (reserved)
            Data length: 0

More information about the dns-operations mailing list