Should I be worried about this?
Kevin Darcy
kcd at daimlerchrysler.com
Wed Apr 12 22:36:34 UTC 2000
Zoe Wianiak wrote:
> Apr 12 07:53:36 Shears named[107]: wrong ans.
> name(\003144\00226\00212\007in-addr\004arpa\000\000\012\000\001\192\015\000\012\000\001\000\001Q\128\000\017\011topptelecom\003com
> != 238.144.26.12.in-addr.arpa)
>
> Could this be an attempt at a buffer overflow?
Unlikely. It's just named's cryptic way of saying it thinks it got a 144.26.12.in-addr.arpa answer to a 238.144.26.12.in-addr.arpa
question. The only reason it looks so big and nasty is because it's showing the raw wire format of the answer it got, with all of the
non-printable characters escaped. But it's actually the same size as the correct response would have been. In fact, it *is* the
correct response, except that a chunk of it has been shifted 4 bytes backwards (which just so happened to have neatly trimmed the
initial "238." from the answer, otherwise named would have probably just considered it a generic "malformed response"), with the
resulting gap filled by seemingly-random values. I don't think I've ever seen corruption quite like that before. Given the nature of
the corruption, I consider it more likely a problem with the responding server than with some network component.
Strangely, I'm not getting malformed responses from either ns1.hydrogenmedia.net or ns2.hydrogenmedia.net, the authoritative servers
for 144.26.12.in-addr.arpa. So either you got this bogon from a forwarder or the problem was only transient.
- Kevin
More information about the bind-users
mailing list