[dns-operations] Null padding query packets

Augie Schwer augie.schwer at gmail.com
Thu Apr 4 23:55:19 UTC 2013 

One of the IPs ( 213.159.0.55 ) is an open PowerDNS recursor -- you could
ask on the PDNS list, I've had great success getting intelligent responses
from there.


On Tue, Apr 2, 2013 at 6:37 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Tue, 2 Apr 2013, John Kristoff wrote:
>
>  I never bothered to get to the bottom of it, but I'm still curious.
>> Since it has been going on for years, presuming we're talking about the
>> same thing, which I'm confident we are, I wonder if there is some
>> specific custom code that is generating this stuff.  Is it for a
>> particular BL, BL user maybe?  What else is in common?  Any particular
>> source network, node type?  Maybe there is just some common code doing
>> the look ups and it happens to pad the message with null bytes?
>>
>
> I've seen it for traffic to both Spamhaus and NJABL rbldnsd servers.  The
> only commonality I noticed was the few that answered version.bind queries
> reported being Microsoft DNS.  i.e.
>
> Microsoft DNS 6.1.7601 (1DB14556)
> Microsoft DNS 6.0.6002 (1772487D)
>
> Maybe someone at MS misread the RFC and thought 512 bytes was the minimum
> size permitted for a UDP DNS query.  :)
> Maybe someone like this character:
> http://stackoverflow.com/**questions/12083628/make-a-512-**
> udp-bytes-dns-request<http://stackoverflow.com/questions/12083628/make-a-512-udp-bytes-dns-request>
>
> Here's a list of servers seen sending such queries while I composed this
> message.
>
> 66.162.165.171
> 72.18.139.226
> 202.71.102.164
> 98.174.25.29
> 50.76.25.65
> 208.94.244.162
> 209.200.117.169
> 64.25.2.89
> 195.178.14.46
> 203.223.132.39
> 23.25.209.82
> 213.159.0.55
> 68.179.124.241
> 68.179.84.153
> 67.199.120.52
> 202.157.186.216
> 202.71.103.16
>
>
> ------------------------------**------------------------------**----------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP public key_________
> ______________________________**_________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.**net <dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/**mailman/listinfo/dns-**operations<https://lists.dns-oarc.net/mailman/listinfo/dns-operations>
> dns-jobs mailing list
> https://lists.dns-oarc.net/**mailman/listinfo/dns-jobs<https://lists.dns-oarc.net/mailman/listinfo/dns-jobs>
>



-- 
Augie Schwer    -    Augie at Schwer.us    -    http://schwer.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130404/6fef50b1/attachment.html>

More information about the dns-operations mailing list