Malformed response asking for SRV records
Humes, David G.
David.Humes at jhuapl.edu
Wed Jun 16 22:00:58 UTC 2004
We've noticed a situation recently where a remote name server is sending
what appear to be malformed response to queries for external SRV records.
Here's an example:
1. Our DNS server sends request for SRV record
08:32:00.828185 128.244.197.32.53 > 216.52.184.230.53: [udp sum ok] 44929
[1au] SRV ?
_ldap._tcp.3c73ad35-bf08-471e-b10e-4445085745b7.domains._msdcs.chemimage.com
. . OPT UDPsize=2048 (105) (DF) (ttl 252, id 57663, len 133)
2. Remote server responds. Transaction ID=0, QR=0, RCODE=02
08:32:00.875685 216.52.184.230.53 > 128.244.197.32.53: [udp sum ok] 0
[b2&3=0x2] [0q] (12) (ttl 112, id 38777, len 40)
3. Our DNS server responds with Format Error, QR=1, RCODE=01
08:32:00.876127 128.244.197.32.53 > 216.52.184.230.53: [udp sum ok] 0
FormErr- [0q] 0/0/0 (12) (DF) (ttl 252, id 57664, len 40)
4. Remote server responds with Format Error, QR=1, RCODE=01
08:32:00.924122 216.52.184.230.53 > 128.244.197.32.53: [udp sum ok] 0
FormErr- [0q] 0/0/0 (12) (ttl 112, id 38988, len 40)
FWIW, we have many normal exchanges with this name server throughout the
day. It's only this query for the SRV record that's causing the strange
packets. Also, FWIW, if I query this nameserver directly for the SRV record
using nslookup, I get no response rather than the strange packets. The only
difference that I can see is that nslookup uses a src port > 1024 rather
than src port 53. I was going to contact the NIC contact, but just wanted
to make certain that this is not expected behavior.
Thanks.
--Dave
More information about the bind-users
mailing list