null DNS header on packets - AIX, excessive network traffic
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jun 3 20:12:26 UTC 2002
asanders at cs.olemiss.edu wrote:
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<ad8rrp$d1gm$1 at isrv4.isc.org>...
> > asanders at cs.olemiss.edu wrote:
> >
> > > I have a dns server (dns.mydomain.com) and a sendmail server
> > > (mailserver.mydomain.com) along with about 200 other servers not
> > > really in this picture. We have noticed that the DNS server is
> > > getting excessive traffic from the mail server. So I did a snoop:
> > >
> > > snoop -i /tmp/capt -t r | grep DNS
> > >
> > > Here is a sample of the output:
> > > 615 0.53065 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 616 0.53076 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > > 617 0.53095 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > > 618 0.53158 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > Ilford.com. Internet Addr ?
> > > 619 0.53187 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 620 0.53208 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 621 0.53210 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > >
> > > The question I have is what is the deal with packets like 616 & 617
> > > from the mail server and packet 619 from the dns server. By analyzing
> > > the individual packet using:
> > >
> > > snoop -i /tmp/capt -v -p616
> > >
> > > I get:
> > >
> > > ETHER: ----- Ether Header -----
> > > ETHER:
> > > ETHER: Packet 616 arrived at 10:26:10.82
> > > ETHER: Packet size = 54 bytes
> > > ETHER: Destination = 0:a0:c9:d1:da:e4,
> > > ETHER: Source = 8:0:20:a3:18:27, Sun
> > > ETHER: Ethertype = 0800 (IP)
> > > ETHER:
> > > IP: ----- IP Header -----
> > > IP:
> > > IP: Version = 4
> > > IP: Header length = 20 bytes
> > > IP: Type of service = 0x00
> > > IP: xxx. .... = 0 (precedence)
> > > IP: ...0 .... = normal delay
> > > IP: .... 0... = normal throughput
> > > IP: .... .0.. = normal reliability
> > > IP: Total length = 40 bytes
> > > IP: Identification = 60
> > > IP: Flags = 0x0
> > > IP: .0.. .... = may fragment
> > > IP: ..0. .... = last fragment
> > > IP: Fragment offset = 0 bytes
> > > IP: Time to live = 255 seconds/hops
> > > IP: Protocol = 6 (TCP)
> > > IP: Header checksum = 7da1
> > > IP: Source address = 141.129.10.7, mailserver.mydomain.com
> > > IP: Destination address = 164.103.2.3, dns.mydomain.com
> > > IP: No options
> > > IP:
> > > TCP: ----- TCP Header -----
> > > TCP:
> > > TCP: Source port = 50176
> > > TCP: Destination port = 53 (DNS)
> > > TCP: Sequence number = 285443549
> > > TCP: Acknowledgement number = 2876548548
> > > TCP: Data offset = 20 bytes
> > > TCP: Flags = 0x10
> > > TCP: ..0. .... = No urgent pointer
> > > TCP: ...1 .... = Acknowledgement
> > > TCP: .... 0... = No push
> > > TCP: .... .0.. = No reset
> > > TCP: .... ..0. = No Syn
> > > TCP: .... ...0 = No Fin
> > > TCP: Window = 33120
> > > TCP: Checksum = 0x4432
> > > TCP: Urgent pointer = 0
> > > TCP: No options
> > > TCP:
> > > DNS: ----- DNS: -----
> > > DNS:
> > > DNS: ""
> > > DNS:
> > >
> > > Notice the DSN header section is null. The packet reply from the DNS
> > > server is the same. There are many of the packets. Any insight would
> > > be greatly appreciated.
> >
> > This is just an ACK packet on a TCP connection. I wouldn't expect to see
> > a DNS header here.
> >
> >
> > - Kevin
>
> Thanks Keven. Let me give you more details. My dns group came to me
> saying that our mailserver was doing excessive zone transfers with the
> dns server--which makes no sense b/c our mailserver is not running
> bind or anything that would do a zone transfer. So I am trying to
> find out what all of this communication is caused by. On, my
> mailserver I just did a netstat -an and grep'd for the IP of our
> mailserver & for the IP of the dns server and there are 933
> connections between these 2 servers. 864 are in TIME_WAIT status.
> All connections are coming from differnent mail server ports around
> 40000 to the dns server on port 53 (where bind is running). Got any
> ideas why there are so many connections?
Are they sure that these are zone transfers? Or, are they TCP connections to the DNS port that
your DNS folks are just *assuming* are zone transfers?
What mail software are you running, and how is it configured? It's conceivable that it might be
explicitly using TCP for DNS queries, for some extraterrestrial reason...
- Kevin
More information about the bind-users
mailing list