[dns-operations] Null padding query packets

Jon Lewis jlewis at lewis.org
Wed Apr 3 01:37:19 UTC 2013

On Tue, 2 Apr 2013, John Kristoff wrote:

> I never bothered to get to the bottom of it, but I'm still curious.
> Since it has been going on for years, presuming we're talking about the
> same thing, which I'm confident we are, I wonder if there is some
> specific custom code that is generating this stuff.  Is it for a
> particular BL, BL user maybe?  What else is in common?  Any particular
> source network, node type?  Maybe there is just some common code doing
> the look ups and it happens to pad the message with null bytes?

I've seen it for traffic to both Spamhaus and NJABL rbldnsd servers.  The 
only commonality I noticed was the few that answered version.bind queries 
reported being Microsoft DNS.  i.e.

Microsoft DNS 6.1.7601 (1DB14556)
Microsoft DNS 6.0.6002 (1772487D)

Maybe someone at MS misread the RFC and thought 512 bytes was the minimum 
size permitted for a UDP DNS query.  :)
Maybe someone like this character:

Here's a list of servers seen sending such queries while I composed this 

  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

More information about the dns-operations mailing list