why do we see: "Opcode 6 not implemented"

[Jim Reid]

>>>>> "Danny" == Danny Thomas <D.Thomas at its.uq.edu.au> writes:

    Danny> our main resolving nameserver (8.2.4) is being hit fairly
    Danny> hard from one client

    Danny> datagram from [203.101.253.17].464, fd 20, len 99 ns_req:
    Danny> Opcode 6 not implemented ns_req: answer ->
    Danny> [203.101.253.17].464 fd=20 id=32353 size=12 rc=4

    Danny> http://www.iana.org/assignments/dns-parameters
    Danny> /usr/include/arpa/nameser.h
    Danny> <bind8>/src/include/arpa/nameser.h (bind 9.1 doesn't have
    Danny> similar include)

    Danny> implies opcode 6 is not defined

    Danny> the hostname implies it's a mail server and nmap
    Danny> fingerprints it as Win2K professional

    Danny> any ideas what's causing this?

Well it looks like Microsoft are doing something naughty like using an
opcode without getting it assigned for a specific purpose. The source
port number on the system sending these weird packets (474) might
identify what's actually sending them. I've no idea what that port is
used for and can't be bothered looking it up. My guess it'll be some
weird M$ Active Directory stuff that's responsible for the traffic.