[SPAM]Re: Malformed response asking for SRV records
Humes, David G.
David.Humes at jhuapl.edu
Thu Jun 17 16:03:03 UTC 2004
I don't think the EDNS0 extensions are causing the problem. I can see
normal exchanges with this DNS server when we're just looking up A records.
Here's two packets showing a normal exchange where the EDNS0 extensions are
in use:
9 103.632843 128.244.197.32 -> 216.52.184.230 DNS Standard query A
zoo.parkingspa.com
0000 00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00 ..MN.A....S...E.
0010 00 4b 80 e5 40 00 fc 11 26 8c 80 f4 c5 20 d8 34 .K.. at ...&.... .4
0020 b8 e6 00 35 00 35 00 37 5d 1b 44 2e 00 10 00 01 ...5.5.7].D.....
0030 00 00 00 00 00 01 03 7a 6f 6f 0a 70 61 72 6b 69 .......zoo.parki
0040 6e 67 73 70 61 03 63 6f 6d 00 00 01 00 01 00 00 ngspa.com.......
0050 29 08 00 00 00 00 00 00 00 )........
10 103.689977 dns2.name-services.com -> 128.244.197.32 DNS Standard query
response A 69.41.174.31
0000 00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00 ....S...MN.A..E.
0010 01 3e 05 ab 00 00 70 11 6c d4 d8 34 b8 e6 80 f4 .>....p.l..4....
0020 c5 20 00 35 00 35 01 2a 7c 9a 44 2e 84 00 00 01 . .5.5.*|.D.....
0030 00 01 00 05 00 05 03 7a 6f 6f 0a 70 61 72 6b 69 .......zoo.parki
0040 6e 67 73 70 61 03 63 6f 6d 00 00 01 00 01 03 7a ngspa.com......z
0050 6f 6f 0a 70 61 72 6b 69 6e 67 73 70 61 03 63 6f oo.parkingspa.co
0060 6d 00 00 01 00 01 00 00 0e 11 00 04 45 29 ae 1f m...........E)..
0070 0a 70 61 72 6b 69 6e 67 73 70 61 c0 33 00 02 00 .parkingspa.3...
0080 01 00 00 0e 10 00 15 04 64 6e 73 31 0d 6e 61 6d ........dns1.nam
0090 65 2d 73 65 72 76 69 63 65 73 c0 33 c0 46 00 02 e-services.3.F..
00a0 00 01 00 00 0e 10 00 07 04 64 6e 73 32 c0 62 c0 .........dns2.b.
00b0 46 00 02 00 01 00 00 0e 10 00 07 04 64 6e 73 33 F...........dns3
00c0 c0 62 c0 46 00 02 00 01 00 00 0e 10 00 07 04 64 .b.F...........d
00d0 6e 73 34 c0 62 c0 46 00 02 00 01 00 00 0e 10 00 ns4.b.F.........
00e0 07 04 64 6e 73 35 c0 62 c0 5d 00 01 00 01 00 00 ..dns5.b.]......
00f0 0e 10 00 04 3f fb a3 66 04 64 6e 73 32 c0 62 00 ....?..f.dns2.b.
0100 01 00 01 00 00 0e 10 00 04 d8 34 b8 e6 04 64 6e ..........4...dn
0110 73 33 c0 62 00 01 00 01 00 00 0e 10 00 04 3f fb s3.b..........?.
0120 53 24 04 64 6e 73 34 c0 62 00 01 00 01 00 00 0e S$.dns4.b.......
0130 10 00 04 40 4a 60 f2 04 64 6e 73 35 c0 62 00 01 ... at J`..dns5.b..
0140 00 01 00 00 0e 10 00 04 d4 76 f3 76 .........v.v
Here's the requested raw packets for the abnormal exchanges:
1 0.000000 128.244.197.32 -> 216.52.184.230 DNS Standard query SRV
_ldap._tcp.3c73ad35-bf08-471e-b10e-4445085745b7.domains._msdcs.chemimage.com
0000 00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00 ..MN.A....S...E.
0010 00 85 e1 3f 40 00 fc 11 c5 f7 80 f4 c5 20 d8 34 ...?@........ .4
0020 b8 e6 00 35 00 35 00 71 de fc af 81 00 10 00 01 ...5.5.q........
0030 00 00 00 00 00 01 05 5f 6c 64 61 70 04 5f 74 63 ......._ldap._tc
0040 70 24 33 63 37 33 61 64 33 35 2d 62 66 30 38 2d p$3c73ad35-bf08-
0050 34 37 31 65 2d 62 31 30 65 2d 34 34 34 35 30 38 471e-b10e-444508
0060 35 37 34 35 62 37 07 64 6f 6d 61 69 6e 73 06 5f 5745b7.domains._
0070 6d 73 64 63 73 09 63 68 65 6d 69 6d 61 67 65 03 msdcs.chemimage.
0080 63 6f 6d 00 00 21 00 01 00 00 29 08 00 00 00 00 com..!....).....
0090 00 00 00 ...
2 0.047500 216.52.184.230 -> 128.244.197.32 DNS Standard query
0000 00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00 ....S...MN.A..E.
0010 00 28 97 79 00 00 70 11 dc 1b d8 34 b8 e6 80 f4 .(.y..p....4....
0020 c5 20 00 35 00 35 00 14 28 2a 00 00 00 02 00 00 . .5.5..(*......
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
3 0.047942 128.244.197.32 -> 216.52.184.230 DNS Standard query response,
Format error
0000 00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00 ..MN.A....S...E.
0010 00 28 e1 40 40 00 fc 11 c6 53 80 f4 c5 20 d8 34 .(.@@....S... .4
0020 b8 e6 00 35 00 35 00 14 a8 2a 00 00 80 01 00 00 ...5.5...*......
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
4 0.095937 216.52.184.230 -> 128.244.197.32 DNS Standard query response,
Format error
0000 00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00 ....S...MN.A..E.
0010 00 28 98 4c 00 00 70 11 db 48 d8 34 b8 e6 80 f4 .(.L..p..H.4....
0020 c5 20 00 35 00 35 00 14 a8 2a 00 00 80 01 00 00 . .5.5...*......
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Kevin Darcy
> Sent: Wednesday, June 16, 2004 8:08 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: [SPAM]Re: Malformed response asking for SRV records
>
>
> Barry Margolin wrote:
>
> >In article <caqgmj$mo2$1 at sf1.isc.org>,
> > "Humes, David G." <David.Humes at jhuapl.edu> wrote:
> >
> >
> >
> >>We've noticed a situation recently where a remote name
> server is sending
> >>what appear to be malformed response to queries for
> external SRV records.
> >>Here's an example:
> >>
> >>1. Our DNS server sends request for SRV record
> >>08:32:00.828185 128.244.197.32.53 > 216.52.184.230.53:
> [udp sum ok] 44929
> >>[1au] SRV ?
> >>_ldap._tcp.3c73ad35-bf08-471e-b10e-4445085745b7.domains._msd
> cs.chemimage.com
> >>. . OPT UDPsize=2048 (105) (DF) (ttl 252, id 57663, len 133)
> >>
> >>2. Remote server responds. Transaction ID=0, QR=0, RCODE=02
> >>08:32:00.875685 216.52.184.230.53 > 128.244.197.32.53:
> [udp sum ok] 0
> >>[b2&3=0x2] [0q] (12) (ttl 112, id 38777, len 40)
> >>
> >>
> >
> >It looks like your server is making use of EDNS0 extensions,
> but this is
> >confusing the remote server. Try turning this off and see
> if it helps.
> >
> Shouldn't really matter, since a failed EDNS0 query should be
> followed
> up by a non-EDNS0 version of the query automatically.
>
> I have to admit being pretty confused by those traces,
> though: some of
> the so-called "responses" show "QR=0" with a non-zero RCODE
> (???); plus
> is "id" supposed to be query ID, if so, why don't they match up, and
> what is "Transaction ID" then; why do some of the entries show the QR
> value, and others not; why is the RCODE sometimes shown in
> symbolic form
> (e.g. "FormErr-"), and other times not???? Looks like the
> packet-tracing
> tool is trying to be smarter about interpreting DNS packets than it
> really is.
>
> Perhaps raw packet dumps would be less ambiguous.
>
>
>
> - Kevin
>
>
>
More information about the bind-users
mailing list