[dns-operations] Null padding query packets
Jon Lewis
jlewis at lewis.org
Tue Apr 2 01:06:27 UTC 2013
I was watching the DNS query stream hitting a few rbldnsd servers recently
and noticed a small % of systems sending queries padded with hundreds of
nulls at the end of the packet. 540 is a common total packet size (512
byte query + 28 bytes IP/UDP header). 551/523 is another common size to
pad to. Of the resolvers doing this that I've been able to identify, it
seems to be a "MS Windows thing". Some of them will pad some queries to
512, some to 523, and then not pad at all for some queries.
Typical query size on these servers is about 80-90 bytes, so the padded
queries are >400 bytes of nulls. I don't think I've seen a padded query
padded to less than 512 bytes.
Googling, I haven't been able to find anything about why queries might be
null padded. I wonder if anyone has noticed this previously and if anyone
knows why this is done?...especially the resolvers that pad
inconsistently.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the dns-operations
mailing list