[dns-operations] DNS request for ./NS with two extra bytes at the end

Roy Arends roy at dnss.ec
Thu May 26 08:08:13 UTC 2022


I’ve not looked for these, but will look now…

The additional two bytes seems to be the identifier in the DNS header, plus one, based on the two messages in the PCAP sample.

Roy

> On 26 May 2022, at 06:40, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 
> [This has no operational consequences, it is just idle curiosity.]
> 
> A server receives a few packets/second coming from several IP
> addresses and querying ./NS (like in priming, or may be in some
> reflection attacks). The server was never a root server, of course.
> 
> What is interesting is that all these packets have two extra bytes at
> the end, after the class. The UDP length is correct, but the DNS
> content is not. I don't show you the output of tshark, because it
> ignores these extra bytes (but you can see them with Wireshark or
> other tools). I attached a small pcap.
> 
> The source IP addresses (which may be spoofed) are all registered in
> China.
> 
> Did anyone see these requests?
> 
> Side question: what should the receiver do? tshark, as I said, drops
> these extra bytes, Wireshark flags no error (but displays the
> bytes). I did not test them with various DNS servers to see how they
> react. Ignoring the extra bytes in the name of the robustness
> principle? Instead, at least one DNS library rejects the packet as
> malformed.
> 
> <extra-bytes.pcap>_______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list