Weird query packets
Lack Mr G M
gml4410 at ggr.co.uk
Wed Jan 19 17:34:35 UTC 2000
Here is an example of a query packet I have seen being sent aroud my
network (actual query value edited, but general idea left unchanged).
16 0.00246 "outlying DNS server" -> "central DNS server" DNS R port=32821
0: 0900 33a0 3e1b 0900 0400 f417 0800 4500 ....>.........E.
16: 004b dc60 0000 3d11 8552 ac11 0c01 93b8 .K.`..=..R......
32: d024 0035 8035 0037 195d 8b77 8182 0001 .$.5.5.7.].w....
48: 0000 0000 0000 1057 5757 2e47 5545 5353 .......WWW.GUESS
64: 2e43 4f2e 554b 0006 646f 6d61 696e 056c .CO.UK..domain.l
80: 6f63 616c 0000 0100 01 ocal.....
This seems to have the characteristics of a query-within-a-query!
The "WWW.GUESS.CO.UK" (along with a trailing NULL character) is being
looked for in the domain.local zone.
Has anyone seen any such query packets?
Does anyone know what might cause them?
The "central DNS server" (running bind 8.2.2-P5) is configured to
forward queries about "domain.local" to the "outlying DNS server"
(running named on HP-UX 10.20). The "outlying DNS server" has "central
DNS server" as a forwarder (yes, this does make sense...).
The result seems to be that the central servers reckons the query is
in domain.local so sends it to the outlying one. This sends it back,
almost as though it takes the first part of the query, reckons the
query is for "WWW.GUESS.CO.UK" and so sends it to its forwarder.
--
--------- Gordon Lack --------------- gml4410 at ggr.co.uk ------------
This message *may* reflect my personal opinion. It is *not* intended
to reflect those of my employer, or anyone else.
More information about the bind-users
mailing list