[dns-operations] Abnormal activity fron chinanet?
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Apr 4 13:38:24 UTC 2012
On Wed, Apr 04, 2012 at 08:31:02AM -0500,
Chris Adams <cmadams at hiwaay.net> wrote
a message of 29 lines which said:
> Is it legal to have additional records in a query?
Yes, with EDNS0, there is always a pseudo-RR in the additional section
(70 % of all queries going to .FR name servers).
As seen by Wireshark in a recent attack :
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
ripe.net: type ANY, class IN
Name: REDACTED.example
Type: ANY (Request for all records)
Class: IN (0x0001)
Additional records
<Root>: type OPT
Name: <Root>
Type: OPT (EDNS0 option)
UDP payload size: 4096
Higher bits in extended RCODE: 0x0
EDNS0 version: 0
Z: 0x8000
Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
Bits 1-15: 0x0 (reserved)
Data length: 0
More information about the dns-operations
mailing list