Name servers returning incorrectly truncated UDP responses

Puneet Sood puneets at
Fri Jul 29 21:04:28 UTC 2022


While making our DNS response validation stricter, we have noticed that a
number of name servers return badly truncated UDP responses. This sometimes
happens with incorrect Answer section RR count.

$ dig TXT @
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.3-1+build1-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24446
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available


;; ANSWER SECTION: 3600 IN TXT "v=spf1 a mx ip4: ip4: ip4: ip4:
ip4: ip4: ip4:4.2" "2.42.24/31 ip4: ip4: ip4: ip4: ip4: ip4:" "24 ip4: ip4: ip4: ip4: ip4:
ip4: ip4:63.232." "236.144/29 ip4: ip4: ip4: ip4: ~all"

;; Query time: 4 msec
;; WHEN: Fri Jul 29 16:57:51 EDT 2022
;; MSG SIZE  rcvd: 542

While the affected operators are spread around the world, the similarity of
the bad response across operators appears to suggest the DNS software may
be from the same or closely related source. These servers do not respond to
a version.bind query.

Have you seen similar bad responses? Do you have an idea of the provenance
of this software?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the dns-operations mailing list