[dns-operations] Null padding query packets
Jon Lewis
jlewis at lewis.org
Wed Apr 3 01:37:19 UTC 2013
On Tue, 2 Apr 2013, John Kristoff wrote:
> I never bothered to get to the bottom of it, but I'm still curious.
> Since it has been going on for years, presuming we're talking about the
> same thing, which I'm confident we are, I wonder if there is some
> specific custom code that is generating this stuff. Is it for a
> particular BL, BL user maybe? What else is in common? Any particular
> source network, node type? Maybe there is just some common code doing
> the look ups and it happens to pad the message with null bytes?
I've seen it for traffic to both Spamhaus and NJABL rbldnsd servers. The
only commonality I noticed was the few that answered version.bind queries
reported being Microsoft DNS. i.e.
Microsoft DNS 6.1.7601 (1DB14556)
Microsoft DNS 6.0.6002 (1772487D)
Maybe someone at MS misread the RFC and thought 512 bytes was the minimum
size permitted for a UDP DNS query. :)
Maybe someone like this character:
http://stackoverflow.com/questions/12083628/make-a-512-udp-bytes-dns-request
Here's a list of servers seen sending such queries while I composed this
message.
66.162.165.171
72.18.139.226
202.71.102.164
98.174.25.29
50.76.25.65
208.94.244.162
209.200.117.169
64.25.2.89
195.178.14.46
203.223.132.39
23.25.209.82
213.159.0.55
68.179.124.241
68.179.84.153
67.199.120.52
202.157.186.216
202.71.103.16
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the dns-operations
mailing list