Name servers returning incorrectly truncated UDP responses

Puneet Sood puneets at google.com
Fri Jul 29 21:04:28 UTC 2022 

Hello,

While making our DNS response validation stricter, we have noticed that a
number of name servers return badly truncated UDP responses. This sometimes
happens with incorrect Answer section RR count.

$ dig m.email.sonyentertainmentnetwork.com. TXT @
e.ns.email.sonyentertainmentnetwork.com
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.18.3-1+build1-Debian <<>> m.email.sonyentertainmentnetwork.com.
TXT @e.ns.email.sonyentertainmentnetwork.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24446
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;m.email.sonyentertainmentnetwork.com. IN TXT

;; ANSWER SECTION:
m.email.sonyentertainmentnetwork.com. 3600 IN TXT "v=spf1 a mx ip4:
63.236.31.220/31 ip4:8.30.201.100/31 ip4:63.236.84.160 ip4:8.30.201.16
ip4:4.22.42.19 ip4:4.22.42.20/30 ip4:4.2" "2.42.24/31 ip4:4.22.42.26 ip4:
72.166.182.10/31 ip4:72.166.182.12/31 ip4:72.166.182.18/31 ip4:
72.166.182.20/30 ip4:207.251.96.0/" "24 ip4:65.125.54.0/24 ip4:
63.232.57.0/24 ip4:208.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29
ip4:8.7.43.16/29 ip4:63.232." "236.144/29 ip4:8.7.44.144/29 ip4:
63.236.31.128/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"

;; Query time: 4 msec
;; SERVER: 207.251.96.133#53(e.ns.email.sonyentertainmentnetwork.com) (TCP)
;; WHEN: Fri Jul 29 16:57:51 EDT 2022
;; MSG SIZE  rcvd: 542


While the affected operators are spread around the world, the similarity of
the bad response across operators appears to suggest the DNS software may
be from the same or closely related source. These servers do not respond to
a version.bind query.

Have you seen similar bad responses? Do you have an idea of the provenance
of this software?

Thanks,
Puneet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220729/4cb363b9/attachment.html>

More information about the dns-operations mailing list