why do we see: "Opcode 6 not implemented"
Jim Reid
jim at rfc1035.com
Sat Aug 18 11:31:47 UTC 2001
>>>>> "Danny" == Danny Thomas <D.Thomas at its.uq.edu.au> writes:
Danny> our main resolving nameserver (8.2.4) is being hit fairly
Danny> hard from one client
Danny> datagram from [203.101.253.17].464, fd 20, len 99 ns_req:
Danny> Opcode 6 not implemented ns_req: answer ->
Danny> [203.101.253.17].464 fd=20 id=32353 size=12 rc=4
Danny> http://www.iana.org/assignments/dns-parameters
Danny> /usr/include/arpa/nameser.h
Danny> <bind8>/src/include/arpa/nameser.h (bind 9.1 doesn't have
Danny> similar include)
Danny> implies opcode 6 is not defined
Danny> the hostname implies it's a mail server and nmap
Danny> fingerprints it as Win2K professional
Danny> any ideas what's causing this?
Well it looks like Microsoft are doing something naughty like using an
opcode without getting it assigned for a specific purpose. The source
port number on the system sending these weird packets (474) might
identify what's actually sending them. I've no idea what that port is
used for and can't be bothered looking it up. My guess it'll be some
weird M$ Active Directory stuff that's responsible for the traffic.
More information about the bind-users
mailing list