[dns-operations] DNS request for ./NS with two extra bytes at the end

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu May 26 05:40:37 UTC 2022

[This has no operational consequences, it is just idle curiosity.]

A server receives a few packets/second coming from several IP
addresses and querying ./NS (like in priming, or may be in some
reflection attacks). The server was never a root server, of course.

What is interesting is that all these packets have two extra bytes at
the end, after the class. The UDP length is correct, but the DNS
content is not. I don't show you the output of tshark, because it
ignores these extra bytes (but you can see them with Wireshark or
other tools). I attached a small pcap.

The source IP addresses (which may be spoofed) are all registered in

Did anyone see these requests?

Side question: what should the receiver do? tshark, as I said, drops
these extra bytes, Wireshark flags no error (but displays the
bytes). I did not test them with various DNS servers to see how they
react. Ignoring the extra bytes in the name of the robustness
principle? Instead, at least one DNS library rejects the packet as

-------------- next part --------------
A non-text attachment was scrubbed...
Name: extra-bytes.pcap
Type: application/vnd.tcpdump.pcap
Size: 218 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220526/7e1374df/attachment.pcap>

More information about the dns-operations mailing list