BIND in Windows - extra packets
Danny Mayer
mayer at gis.net
Mon Apr 25 05:11:56 UTC 2005
At 06:30 PM 4/21/2005, Schelly, Neil wrote:
>I am relatively new to running BIND in a Windows environment with a new job
>I've started recently, but a problem has come to our attention in its use
>here and I'm hoping someone else has had previous experience with it.
>
>Essentially, I've duplicated this problem with several recent 9.2 and 9.3
>releases of BIND in Windows 2000 Server and Windows XP Pro. Duplicating it
>is as easy as installing it with a blank named.conf file and directing your
>machine to use it for DNS lookups. I cannot duplicate the problem with=
BIND
>running in Linux.
>
>The problem is that DNS requests made to other DNS servers are followed
>almost instantaneously by another packet with no payload. A packet capture
>shows one or two of these 64-byte UDP packets following the real request.
>It doesn't happen after every request, but a packet capture of 200 packets
>or so is bound to catch a few instances of this happening. Ethereal shows
>these packets as "Malformed packets" because there's nothing in the actual
>packet payload to translate into a DNS request. I can attach a packet
>capture demonstrating this if it helps anyone, but I don't know the list
>policy on sending out attachments.
>
I'm not aware of anything that would cause this. The Windows socket
implementation was designed to have equal functionality as the Unix
code and I would not expect it to be sending out extra packets. You didn't
say what version of BIND you were running on Linux. Try using the
server statement:
server ip_addr { edns no;};
where ip_addr is the address of the server you are trying to reach and see
if it still sends out the extra packets. I recall that PIX has problems with
EDNS packets. EDNS may have nothing to do with the problem but
you never know. I can't imagine how it would send out extra packets.
Are they going to the same address/port?
The list server will strip attachments so don't try and in any case I doubt
that a lot of people are interested. I usually recommend people put these
things on a web server and provide a URL, unless it's very short.
>The server itself is working fine as far as performing lookups and=
returning
>the appropriate results. The problem that we're having is that our DNS
>servers are causing the Cisco PIX firewall (belonging to a customer of=
ours)
>to block traffic from our network. The firewall is interpreting these
>extraneous packets as some type of DDOS. I have been unable to find any
>mention of anyone having this problem before, but as I said, I have little
>experience running BIND in a Windows environment, so it could be normal.
>Also, since the server functions fine, it is unlikely that anyone would
>notice problems here - only by luck that we have. I'm tempted to call it a
>bug and report it as such, but wanted to know if anyone has experienced it
>before and has some insight.
You may want to check that PIX can handle the EDNS0 packets. I've
never heard of this either but I never used ethereal to look at the packets
when it was under development.
Danny
>
>Regards,
>
>Neil J. Schelly
>Engineer, Network Operations
>
>G=F3mez, Inc.
>Enabling Performance Excellence
>T 781.768.2445
>M 508-410-4776
>nschelly at gomez.com <mailto:nschelly at gomez.com>
>www.gomez.com <http://www.gomez.com/>
>
More information about the bind-users
mailing list