Got bad packet: bad label type
Joseph Karpenko (jkarpenk)
jkarpenk at cisco.com
Wed Oct 22 01:29:47 UTC 2008
scapy (https://www.secdev.org/projects/scapy/) can also decode at this
layer pretty quickly and you can write the result to a pcap file.
>>> p=DNS(import_hexcap())
0000 2b 3c 81 80 00 01 00 04 00 00 00 00 09 5f 6b 65
0010 72 62 65 72 6f 73 04 5f 75 64 70 05 49 54 57 45
0020 42 05 57 45 42 4d 44 03 4e 45 54 00 00 21 00 01
0030 c0 0c 00 21 00 01 00 00 00 77 00 10 00 00 00 64
0040 00 58 07 64 6e 79 64 63 30 32 c0 3f c0 0c 00 21
0050 00 01 00 00 00 77 00 10 00 00 00 64 00 58 07 64
0060 6e 79 64 63 30 31 c0 3f c0 0c 00 21 00 01 00 00
0070 00 77 00 10 00 00 00 64 00 58 07 64 6e 6a 64 63
0080 30 32 c0 3f c0 0c 00 21 00 01 00 00 00 77 00 10
0090 00 00 00 64 00 58 07 64 6e 6a 64 63 30 31 c0 3f
>>>
>>> p
<DNS id068 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=ok
qdcount=1 ancount=4 nscount=0 arcount=0 qd=<DNSQR
qname='_kerberos._udp.ITWEB.WEBMD.NET.' qtype=SRV qclass=IN |> an=<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc01\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc01\xc0?' |>>>> ns=0 ar=0 |>
>>>
>>>
>>> p.show(),hexdump(p)
###[ DNS ]###
id= 11068
qr= 1L
opcode= QUERY
aa= 0L
tc= 0L
rd= 1L
ra= 1L
z= 0L
rcode= ok
qdcount= 1
ancount= 4
nscount= 0
arcount= 0
\qd\
|###[ DNS Question Record ]###
| qname= '_kerberos._udp.ITWEB.WEBMD.NET.'
| qtype= SRV
| qclass= IN
\an\
|###[ DNS Resource Record ]###
| rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
| type= SRV
| rclass= IN
| ttl= 119L
| rdlen= 16
| rdata= '\x00\x00\x00d\x00X\x07dnydc02\xc0?'
|###[ DNS Resource Record ]###
| rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
| type= SRV
| rclass= IN
| ttl= 119L
| rdlen= 16
| rdata= '\x00\x00\x00d\x00X\x07dnydc01\xc0?'
|###[ DNS Resource Record ]###
| rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
| type= SRV
| rclass= IN
| ttl= 119L
| rdlen= 16
| rdata= '\x00\x00\x00d\x00X\x07dnjdc02\xc0?'
|###[ DNS Resource Record ]###
| rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
| type= SRV
| rclass= IN
| ttl= 119L
| rdlen= 16
| rdata= '\x00\x00\x00d\x00X\x07dnjdc01\xc0?'
ns= 0
ar= 0
0000 2B 3C 81 80 00 01 00 04 00 00 00 00 09 5F 6B 65
+<..........._ke
0010 72 62 65 72 6F 73 04 5F 75 64 70 05 49 54 57 45
rberos._udp.ITWE
0020 42 05 57 45 42 4D 44 03 4E 45 54 00 00 21 00 01
B.WEBMD.NET..!..
0030 09 5F 6B 65 72 62 65 72 6F 73 04 5F 75 64 70 05
._kerberos._udp.
0040 49 54 57 45 42 05 57 45 42 4D 44 03 4E 45 54 00
ITWEB.WEBMD.NET.
0050 00 21 00 01 00 00 00 77 00 10 00 00 00 64 00 58
.!.....w.....d.X
0060 07 64 6E 79 64 63 30 32 C0 3F 09 5F 6B 65 72 62
.dnydc02.?._kerb
0070 65 72 6F 73 04 5F 75 64 70 05 49 54 57 45 42 05
eros._udp.ITWEB.
0080 57 45 42 4D 44 03 4E 45 54 00 00 21 00 01 00 00
WEBMD.NET..!....
0090 00 77 00 10 00 00 00 64 00 58 07 64 6E 79 64 63
.w.....d.X.dnydc
00a0 30 31 C0 3F 09 5F 6B 65 72 62 65 72 6F 73 04 5F
01.?._kerberos._
00b0 75 64 70 05 49 54 57 45 42 05 57 45 42 4D 44 03
udp.ITWEB.WEBMD.
00c0 4E 45 54 00 00 21 00 01 00 00 00 77 00 10 00 00
NET..!.....w....
00d0 00 64 00 58 07 64 6E 6A 64 63 30 32 C0 3F 09 5F
.d.X.dnjdc02.?._
00e0 6B 65 72 62 65 72 6F 73 04 5F 75 64 70 05 49 54
kerberos._udp.IT
00f0 57 45 42 05 57 45 42 4D 44 03 4E 45 54 00 00 21
WEB.WEBMD.NET..!
0100 00 01 00 00 00 77 00 10 00 00 00 64 00 58 07 64
.....w.....d.X.d
0110 6E 6A 64 63 30 31 C0 3F njdc01.?
(None, None)
>>>
>>> ## we only have the DNS layer, need to add Ethernet,
>>> ## IP, and UDP and then write the pcap:
>>>
>>> p=Ether()/IP()/UDP()/p
>>> p
<Ether type=IPv4 |<IP frag=0 proto=UDP |<UDP sport=domain |<DNS
id068 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=ok
qdcount=1 ancount=4 nscount=0 arcount=0 qd=<DNSQR
qname='_kerberos._udp.ITWEB.WEBMD.NET.' qtype=SRV qclass=IN |> an=<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc01\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc01\xc0?' |>>>> ns=0 ar=0 |>>>>
>>>
>>> wrpcap("/tmp/dns-bad-label-type.pcap", p)
>>>
cheers,
---
karpenko
> From: bind-users-bounce at isc.org
> [mailto:bind-users-bounce at isc.org] On Behalf Of Mark Andrews
> Sent: Tuesday, October 21, 2008 7:47 PM
> To: Linux Addict
> Cc: bind-users at isc.org
> Subject: Re: Got bad packet: bad label type
>
>
> In message
> <707abafb0810211732o3a20fb31x8fa36e3c7036553f at mail.gmail.com>, "Linu
> x Addict" writes:
> > On Tue, Oct 21, 2008 at 6:24 PM, Mark Andrews
> <Mark_Andrews at isc.org> wrote:
> >
> > >
> > > In message
> <707abafb0810211024m2d1a3e55j5d495433db242217 at mail.gmail.com>,
> > > "Linu
> > > x Addict" writes:
> > > > I get this error when I try resolve some specific
> records. Anyone know
> > > what
> > > > it means and how to resolve it.
> > >
> > > You got a malformed packet.
> > >
> > > > ;; Got bad packet: bad label type
> > > > 160 bytes
> > > > 2b 3c 81 80 00 01 00 04 00 00 00 00 09 5f 6b 65
> > > id068
> > > questions=1
> > > answers=4
> > > authorityu=0
> > > additional=0
> > > _kerberos.
> > > > 72 62 65 72 6f 73 04 5f 75 64 70 05 49 54 57 45
> > > _tcp. ITWEB.
> > > > 42 05 57 45 42 4d 44 03 4e 45 54 00 00 21 00 01
> > > WEBMD. CET. SRV IN
> > > > c0 0c 00 21 00 01 00 00 00 77 00 10 00 00 00 64
> <------------------\
> > > compression point to offset 0x0c (_tcp.ITWEB.WEBMD.CET.)
> |
> > > SRV IN 119 16 0 100
> |
> > > > 00 58 07 64 6e 79 64 63 30 32 c0 3f c0 0c 00 21
> |
> > > 88 dnydc02. compression pointer to
> offset 3f ----/
> > > (which is 0x64, which is not a
> valid label).
> > > > 00 01 00 00 00 77 00 10 00 00 00 64 00 58 07 64
> > > > 6e 79 64 63 30 31 c0 3f c0 0c 00 21 00 01 00 00
> > > > 00 77 00 10 00 00 00 64 00 58 07 64 6e 6a 64 63
> > > > 30 32 c0 3f c0 0c 00 21 00 01 00 00 00 77 00 10
> > > > 00 00 00 64 00 58 07 64 6e 6a 64 63 30 31 c0 3f
> > > >
> > > > Thanks
> > > > LA
> > > >
> > > >
> > > >
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742 INTERNET:
> Mark_Andrews at isc.org
> > >
> >
> >
> > This is awesome!! How did you decode it?
>
> The contents of a DNS packet are described in RFCs 1034 and
> RFC 1035. It's a simple matter to just read the data.
>
> > Now How do I fix it?
>
> You fix the server (usually that means upgrade) that sent
> you the response and/or any middle box (nat/firewall) that
> mucked with the packets contents.
>
> All the compression pointers in the SRV records are bad
> which rules out random packet corruption. So you are looking
> at the software that wrote / re-wrote the DNS payload.
>
> Mark
> >
> > Thanks, LA
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
More information about the bind-users
mailing list