[SPAM]Re: Malformed response asking for SRV records

Humes, David G. David.Humes at jhuapl.edu
Thu Jun 17 16:03:03 UTC 2004 

I don't think the EDNS0 extensions are causing the problem.  I can see
normal exchanges with this DNS server when we're just looking up A records.
Here's two packets showing a normal exchange where the EDNS0 extensions are
in use:

  9 103.632843 128.244.197.32 -> 216.52.184.230 DNS Standard query A
zoo.parkingspa.com

0000  00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00   ..MN.A....S...E.
0010  00 4b 80 e5 40 00 fc 11 26 8c 80 f4 c5 20 d8 34   .K.. at ...&.... .4
0020  b8 e6 00 35 00 35 00 37 5d 1b 44 2e 00 10 00 01   ...5.5.7].D.....
0030  00 00 00 00 00 01 03 7a 6f 6f 0a 70 61 72 6b 69   .......zoo.parki
0040  6e 67 73 70 61 03 63 6f 6d 00 00 01 00 01 00 00   ngspa.com.......
0050  29 08 00 00 00 00 00 00 00                        )........

 10 103.689977 dns2.name-services.com -> 128.244.197.32 DNS Standard query
response A 69.41.174.31

0000  00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00   ....S...MN.A..E.
0010  01 3e 05 ab 00 00 70 11 6c d4 d8 34 b8 e6 80 f4   .>....p.l..4....
0020  c5 20 00 35 00 35 01 2a 7c 9a 44 2e 84 00 00 01   . .5.5.*|.D.....
0030  00 01 00 05 00 05 03 7a 6f 6f 0a 70 61 72 6b 69   .......zoo.parki
0040  6e 67 73 70 61 03 63 6f 6d 00 00 01 00 01 03 7a   ngspa.com......z
0050  6f 6f 0a 70 61 72 6b 69 6e 67 73 70 61 03 63 6f   oo.parkingspa.co
0060  6d 00 00 01 00 01 00 00 0e 11 00 04 45 29 ae 1f   m...........E)..
0070  0a 70 61 72 6b 69 6e 67 73 70 61 c0 33 00 02 00   .parkingspa.3...
0080  01 00 00 0e 10 00 15 04 64 6e 73 31 0d 6e 61 6d   ........dns1.nam
0090  65 2d 73 65 72 76 69 63 65 73 c0 33 c0 46 00 02   e-services.3.F..
00a0  00 01 00 00 0e 10 00 07 04 64 6e 73 32 c0 62 c0   .........dns2.b.
00b0  46 00 02 00 01 00 00 0e 10 00 07 04 64 6e 73 33   F...........dns3
00c0  c0 62 c0 46 00 02 00 01 00 00 0e 10 00 07 04 64   .b.F...........d
00d0  6e 73 34 c0 62 c0 46 00 02 00 01 00 00 0e 10 00   ns4.b.F.........
00e0  07 04 64 6e 73 35 c0 62 c0 5d 00 01 00 01 00 00   ..dns5.b.]......
00f0  0e 10 00 04 3f fb a3 66 04 64 6e 73 32 c0 62 00   ....?..f.dns2.b.
0100  01 00 01 00 00 0e 10 00 04 d8 34 b8 e6 04 64 6e   ..........4...dn
0110  73 33 c0 62 00 01 00 01 00 00 0e 10 00 04 3f fb   s3.b..........?.
0120  53 24 04 64 6e 73 34 c0 62 00 01 00 01 00 00 0e   S$.dns4.b.......
0130  10 00 04 40 4a 60 f2 04 64 6e 73 35 c0 62 00 01   ... at J`..dns5.b..
0140  00 01 00 00 0e 10 00 04 d4 76 f3 76               .........v.v

Here's the requested raw packets for the abnormal exchanges:

  1   0.000000 128.244.197.32 -> 216.52.184.230 DNS Standard query SRV
_ldap._tcp.3c73ad35-bf08-471e-b10e-4445085745b7.domains._msdcs.chemimage.com

0000  00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00   ..MN.A....S...E.
0010  00 85 e1 3f 40 00 fc 11 c5 f7 80 f4 c5 20 d8 34   ...?@........ .4
0020  b8 e6 00 35 00 35 00 71 de fc af 81 00 10 00 01   ...5.5.q........
0030  00 00 00 00 00 01 05 5f 6c 64 61 70 04 5f 74 63   ......._ldap._tc
0040  70 24 33 63 37 33 61 64 33 35 2d 62 66 30 38 2d   p$3c73ad35-bf08-
0050  34 37 31 65 2d 62 31 30 65 2d 34 34 34 35 30 38   471e-b10e-444508
0060  35 37 34 35 62 37 07 64 6f 6d 61 69 6e 73 06 5f   5745b7.domains._
0070  6d 73 64 63 73 09 63 68 65 6d 69 6d 61 67 65 03   msdcs.chemimage.
0080  63 6f 6d 00 00 21 00 01 00 00 29 08 00 00 00 00   com..!....).....
0090  00 00 00                                          ...

  2   0.047500 216.52.184.230 -> 128.244.197.32 DNS Standard query

0000  00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00   ....S...MN.A..E.
0010  00 28 97 79 00 00 70 11 dc 1b d8 34 b8 e6 80 f4   .(.y..p....4....
0020  c5 20 00 35 00 35 00 14 28 2a 00 00 00 02 00 00   . .5.5..(*......
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

  3   0.047942 128.244.197.32 -> 216.52.184.230 DNS Standard query response,
Format error

0000  00 04 4d 4e 14 41 00 d0 03 ed 53 fc 08 00 45 00   ..MN.A....S...E.
0010  00 28 e1 40 40 00 fc 11 c6 53 80 f4 c5 20 d8 34   .(.@@....S... .4
0020  b8 e6 00 35 00 35 00 14 a8 2a 00 00 80 01 00 00   ...5.5...*......
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

  4   0.095937 216.52.184.230 -> 128.244.197.32 DNS Standard query response,
Format error

0000  00 d0 03 ed 53 fc 00 04 4d 4e 14 41 08 00 45 00   ....S...MN.A..E.
0010  00 28 98 4c 00 00 70 11 db 48 d8 34 b8 e6 80 f4   .(.L..p..H.4....
0020  c5 20 00 35 00 35 00 14 a8 2a 00 00 80 01 00 00   . .5.5...*......
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............

> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Kevin Darcy
> Sent: Wednesday, June 16, 2004 8:08 PM
> To: comp-protocols-dns-bind at isc.org
> Subject: Re: [SPAM]Re: Malformed response asking for SRV records
> 
> 
> Barry Margolin wrote:
> 
> >In article <caqgmj$mo2$1 at sf1.isc.org>,
> > "Humes, David  G." <David.Humes at jhuapl.edu> wrote:
> >
> >  
> >
> >>We've noticed a situation recently where a remote name 
> server is sending
> >>what appear to be malformed response to queries for 
> external SRV records.
> >>Here's an example:
> >>
> >>1.  Our DNS server sends request for SRV record
> >>08:32:00.828185 128.244.197.32.53 > 216.52.184.230.53:  
> [udp sum ok] 44929
> >>[1au] SRV ?
> >>_ldap._tcp.3c73ad35-bf08-471e-b10e-4445085745b7.domains._msd
> cs.chemimage.com
> >>. . OPT  UDPsize=2048 (105) (DF) (ttl 252, id 57663, len 133)
> >>
> >>2.  Remote server responds.  Transaction ID=0, QR=0, RCODE=02
> >>08:32:00.875685 216.52.184.230.53 > 128.244.197.32.53:  
> [udp sum ok] 0
> >>[b2&3=0x2] [0q] (12) (ttl 112, id 38777, len 40)
> >>    
> >>
> >
> >It looks like your server is making use of EDNS0 extensions, 
> but this is 
> >confusing the remote server.  Try turning this off and see 
> if it helps.
> >
> Shouldn't really matter, since a failed EDNS0 query should be 
> followed 
> up by a non-EDNS0 version of the query automatically.
> 
> I have to admit being pretty confused by those traces, 
> though: some of 
> the so-called "responses" show "QR=0" with a non-zero RCODE 
> (???); plus 
> is "id" supposed to be query ID, if so, why don't they match up, and 
> what is "Transaction ID" then; why do some of the entries show the QR 
> value, and others not; why is the RCODE sometimes shown in 
> symbolic form 
> (e.g. "FormErr-"), and other times not???? Looks like the 
> packet-tracing 
> tool is trying to be smarter about interpreting DNS packets than it 
> really is.
> 
> Perhaps raw packet dumps would be less ambiguous.
> 
>                                                               
>            
>                                     - Kevin
> 
> 
>

More information about the bind-users mailing list