[dns-operations] Null padding query packets

Jon Lewis jlewis at lewis.org
Wed Apr 3 01:37:19 UTC 2013


On Tue, 2 Apr 2013, John Kristoff wrote:

> I never bothered to get to the bottom of it, but I'm still curious.
> Since it has been going on for years, presuming we're talking about the
> same thing, which I'm confident we are, I wonder if there is some
> specific custom code that is generating this stuff.  Is it for a
> particular BL, BL user maybe?  What else is in common?  Any particular
> source network, node type?  Maybe there is just some common code doing
> the look ups and it happens to pad the message with null bytes?

I've seen it for traffic to both Spamhaus and NJABL rbldnsd servers.  The 
only commonality I noticed was the few that answered version.bind queries 
reported being Microsoft DNS.  i.e.

Microsoft DNS 6.1.7601 (1DB14556)
Microsoft DNS 6.0.6002 (1772487D)

Maybe someone at MS misread the RFC and thought 512 bytes was the minimum 
size permitted for a UDP DNS query.  :)
Maybe someone like this character:
http://stackoverflow.com/questions/12083628/make-a-512-udp-bytes-dns-request

Here's a list of servers seen sending such queries while I composed this 
message.

66.162.165.171
72.18.139.226
202.71.102.164
98.174.25.29
50.76.25.65
208.94.244.162
209.200.117.169
64.25.2.89
195.178.14.46
203.223.132.39
23.25.209.82
213.159.0.55
68.179.124.241
68.179.84.153
67.199.120.52
202.157.186.216
202.71.103.16

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



More information about the dns-operations mailing list