[dns-operations] Name servers returning incorrectly truncated UDP responses
Greg Choules
gregchoules+dnsops at googlemail.com
Sat Jul 30 06:32:40 UTC 2022
This looks very broken. Here are checks of the "m.email..." and "email..."
domains - both exhibit many protocol errors:
https://ednscomp.isc.org/ednscomp/7225e09225
https://ednscomp.isc.org/ednscomp/e9310fc22b
I am including in this mail the RNAME from the SOA (same for both zones) in
the hope that someone who is responsible for DNS at Sony entertainment will
see this and take note.
Cheers, Greg
On Fri, 29 Jul 2022 at 22:09, Puneet Sood via dns-operations <
dns-operations at dns-oarc.net> wrote:
>
>
>
> ---------- Forwarded message ----------
> From: Puneet Sood <puneets at google.com>
> To: dns-operations <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 29 Jul 2022 17:04:28 -0400
> Subject: Name servers returning incorrectly truncated UDP responses
> Hello,
>
> While making our DNS response validation stricter, we have noticed that a
> number of name servers return badly truncated UDP responses. This sometimes
> happens with incorrect Answer section RR count.
>
> $ dig m.email.sonyentertainmentnetwork.com. TXT @
> e.ns.email.sonyentertainmentnetwork.com
> ;; Warning: Message parser reports malformed message packet.
> ;; Truncated, retrying in TCP mode.
>
> ; <<>> DiG 9.18.3-1+build1-Debian <<>>
> m.email.sonyentertainmentnetwork.com. TXT @
> e.ns.email.sonyentertainmentnetwork.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24446
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;m.email.sonyentertainmentnetwork.com. IN TXT
>
> ;; ANSWER SECTION:
> m.email.sonyentertainmentnetwork.com. 3600 IN TXT "v=spf1 a mx ip4:
> 63.236.31.220/31 ip4:8.30.201.100/31 ip4:63.236.84.160 ip4:8.30.201.16
> ip4:4.22.42.19 ip4:4.22.42.20/30 ip4:4.2" "2.42.24/31 ip4:4.22.42.26 ip4:
> 72.166.182.10/31 ip4:72.166.182.12/31 ip4:72.166.182.18/31 ip4:
> 72.166.182.20/30 ip4:207.251.96.0/" "24 ip4:65.125.54.0/24 ip4:
> 63.232.57.0/24 ip4:208.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29
> ip4:8.7.43.16/29 ip4:63.232." "236.144/29 ip4:8.7.44.144/29 ip4:
> 63.236.31.128/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all"
>
> ;; Query time: 4 msec
> ;; SERVER: 207.251.96.133#53(e.ns.email.sonyentertainmentnetwork.com)
> (TCP)
> ;; WHEN: Fri Jul 29 16:57:51 EDT 2022
> ;; MSG SIZE rcvd: 542
>
>
> While the affected operators are spread around the world, the similarity
> of the bad response across operators appears to suggest the DNS software
> may be from the same or closely related source. These servers do not
> respond to a version.bind query.
>
> Have you seen similar bad responses? Do you have an idea of the provenance
> of this software?
>
> Thanks,
> Puneet
>
>
>
>
> ---------- Forwarded message ----------
> From: Puneet Sood via dns-operations <dns-operations at dns-oarc.net>
> To: dns-operations <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 29 Jul 2022 17:04:28 -0400
> Subject: [dns-operations] Name servers returning incorrectly truncated UDP
> responses
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220730/c1c7d62d/attachment.html>
More information about the dns-operations
mailing list