[dns-operations] Null padding query packets

Jon Lewis jlewis at lewis.org
Tue Apr 2 01:06:27 UTC 2013

I was watching the DNS query stream hitting a few rbldnsd servers recently 
and noticed a small % of systems sending queries padded with hundreds of 
nulls at the end of the packet.  540 is a common total packet size (512 
byte query + 28 bytes IP/UDP header).  551/523 is another common size to 
pad to.  Of the resolvers doing this that I've been able to identify, it 
seems to be a "MS Windows thing".  Some of them will pad some queries to 
512, some to 523, and then not pad at all for some queries.

Typical query size on these servers is about 80-90 bytes, so the padded 
queries are >400 bytes of nulls.  I don't think I've seen a padded query 
padded to less than 512 bytes.

Googling, I haven't been able to find anything about why queries might be 
null padded.  I wonder if anyone has noticed this previously and if anyone 
knows why this is done?...especially the resolvers that pad 

  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the dns-operations mailing list