Got bad packet: bad label type

Joseph Karpenko (jkarpenk) jkarpenk at cisco.com
Wed Oct 22 01:29:47 UTC 2008 

scapy (https://www.secdev.org/projects/scapy/) can also decode at this
layer pretty quickly and you can write the result to a pcap file.

>>> p=DNS(import_hexcap())
0000   2b 3c 81 80 00 01 00 04  00 00 00 00 09 5f 6b 65
0010   72 62 65 72 6f 73 04 5f  75 64 70 05 49 54 57 45
0020   42 05 57 45 42 4d 44 03  4e 45 54 00 00 21 00 01
0030   c0 0c 00 21 00 01 00 00  00 77 00 10 00 00 00 64
0040   00 58 07 64 6e 79 64 63  30 32 c0 3f c0 0c 00 21
0050   00 01 00 00 00 77 00 10  00 00 00 64 00 58 07 64
0060   6e 79 64 63 30 31 c0 3f  c0 0c 00 21 00 01 00 00
0070   00 77 00 10 00 00 00 64  00 58 07 64 6e 6a 64 63
0080   30 32 c0 3f c0 0c 00 21  00 01 00 00 00 77 00 10
0090   00 00 00 64 00 58 07 64  6e 6a 64 63 30 31 c0 3f
>>> 
>>> p
<DNS  id068 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=ok
qdcount=1 ancount=4 nscount=0 arcount=0 qd=<DNSQR
qname='_kerberos._udp.ITWEB.WEBMD.NET.' qtype=SRV qclass=IN |> an=<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc01\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc01\xc0?' |>>>> ns=0 ar=0 |>
>>> 
>>> 
>>> p.show(),hexdump(p)
###[ DNS ]###
  id= 11068
  qr= 1L
  opcode= QUERY
  aa= 0L
  tc= 0L
  rd= 1L
  ra= 1L
  z= 0L
  rcode= ok
  qdcount= 1
  ancount= 4
  nscount= 0
  arcount= 0
  \qd\
   |###[ DNS Question Record ]###
   |  qname= '_kerberos._udp.ITWEB.WEBMD.NET.'
   |  qtype= SRV
   |  qclass= IN
  \an\
   |###[ DNS Resource Record ]###
   |  rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
   |  type= SRV
   |  rclass= IN
   |  ttl= 119L
   |  rdlen= 16
   |  rdata= '\x00\x00\x00d\x00X\x07dnydc02\xc0?'
   |###[ DNS Resource Record ]###
   |  rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
   |  type= SRV
   |  rclass= IN
   |  ttl= 119L
   |  rdlen= 16
   |  rdata= '\x00\x00\x00d\x00X\x07dnydc01\xc0?'
   |###[ DNS Resource Record ]###
   |  rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
   |  type= SRV
   |  rclass= IN
   |  ttl= 119L
   |  rdlen= 16
   |  rdata= '\x00\x00\x00d\x00X\x07dnjdc02\xc0?'
   |###[ DNS Resource Record ]###
   |  rrname= '_kerberos._udp.ITWEB.WEBMD.NET.'
   |  type= SRV
   |  rclass= IN
   |  ttl= 119L
   |  rdlen= 16
   |  rdata= '\x00\x00\x00d\x00X\x07dnjdc01\xc0?'
  ns= 0
  ar= 0
0000   2B 3C 81 80 00 01 00 04  00 00 00 00 09 5F 6B 65
+<..........._ke
0010   72 62 65 72 6F 73 04 5F  75 64 70 05 49 54 57 45
rberos._udp.ITWE
0020   42 05 57 45 42 4D 44 03  4E 45 54 00 00 21 00 01
B.WEBMD.NET..!..
0030   09 5F 6B 65 72 62 65 72  6F 73 04 5F 75 64 70 05
._kerberos._udp.
0040   49 54 57 45 42 05 57 45  42 4D 44 03 4E 45 54 00
ITWEB.WEBMD.NET.
0050   00 21 00 01 00 00 00 77  00 10 00 00 00 64 00 58
.!.....w.....d.X
0060   07 64 6E 79 64 63 30 32  C0 3F 09 5F 6B 65 72 62
.dnydc02.?._kerb
0070   65 72 6F 73 04 5F 75 64  70 05 49 54 57 45 42 05
eros._udp.ITWEB.
0080   57 45 42 4D 44 03 4E 45  54 00 00 21 00 01 00 00
WEBMD.NET..!....
0090   00 77 00 10 00 00 00 64  00 58 07 64 6E 79 64 63
.w.....d.X.dnydc
00a0   30 31 C0 3F 09 5F 6B 65  72 62 65 72 6F 73 04 5F
01.?._kerberos._
00b0   75 64 70 05 49 54 57 45  42 05 57 45 42 4D 44 03
udp.ITWEB.WEBMD.
00c0   4E 45 54 00 00 21 00 01  00 00 00 77 00 10 00 00
NET..!.....w....
00d0   00 64 00 58 07 64 6E 6A  64 63 30 32 C0 3F 09 5F
.d.X.dnjdc02.?._
00e0   6B 65 72 62 65 72 6F 73  04 5F 75 64 70 05 49 54
kerberos._udp.IT
00f0   57 45 42 05 57 45 42 4D  44 03 4E 45 54 00 00 21
WEB.WEBMD.NET..!
0100   00 01 00 00 00 77 00 10  00 00 00 64 00 58 07 64
.....w.....d.X.d
0110   6E 6A 64 63 30 31 C0 3F                            njdc01.?
(None, None)
>>> 
>>> ## we only have the DNS layer, need to add Ethernet,
>>> ## IP, and UDP and then write the pcap:
>>> 
>>> p=Ether()/IP()/UDP()/p
>>> p
<Ether  type=IPv4 |<IP  frag=0 proto=UDP |<UDP  sport=domain |<DNS
id068 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L rcode=ok
qdcount=1 ancount=4 nscount=0 arcount=0 qd=<DNSQR
qname='_kerberos._udp.ITWEB.WEBMD.NET.' qtype=SRV qclass=IN |> an=<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnydc01\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc02\xc0?' |<DNSRR
rrname='_kerberos._udp.ITWEB.WEBMD.NET.' type=SRV rclass=IN ttl9L
rdata='\x00\x00\x00d\x00X\x07dnjdc01\xc0?' |>>>> ns=0 ar=0 |>>>>
>>> 
>>> wrpcap("/tmp/dns-bad-label-type.pcap", p)
>>> 


cheers,

---
karpenko

> From: bind-users-bounce at isc.org 
> [mailto:bind-users-bounce at isc.org] On Behalf Of Mark Andrews
> Sent: Tuesday, October 21, 2008 7:47 PM
> To: Linux Addict
> Cc: bind-users at isc.org
> Subject: Re: Got bad packet: bad label type 
> 
> 
> In message 
> <707abafb0810211732o3a20fb31x8fa36e3c7036553f at mail.gmail.com>, "Linu
> x Addict" writes:
> > On Tue, Oct 21, 2008 at 6:24 PM, Mark Andrews 
> <Mark_Andrews at isc.org> wrote:
> > 
> > >
> > > In message 
> <707abafb0810211024m2d1a3e55j5d495433db242217 at mail.gmail.com>,
> > > "Linu
> > > x Addict" writes:
> > > > I get this error when I try resolve some specific 
> records. Anyone know
> > > what
> > > > it means and how to resolve it.
> > >
> > >         You got a malformed packet.
> > >
> > > > ;; Got bad packet: bad label type
> > > > 160 bytes
> > > > 2b 3c 81 80 00 01 00 04 00 00 00 00 09 5f 6b 65
> > >   id068
> > >              questions=1
> > >                    answers=4
> > >                          authorityu=0
> > >                                additional=0
> > >                                         _kerberos.
> > > > 72 62 65 72 6f 73 04 5f 75 64 70 05 49 54 57 45
> > >                        _tcp.          ITWEB.
> > > > 42 05 57 45 42 4d 44 03 4e 45 54 00 00 21 00 01
> > >         WEBMD.            CET.        SRV   IN
> > > > c0 0c 00 21 00 01 00 00 00 77 00 10 00 00 00 64 
> <------------------\
> > >  compression point to offset 0x0c (_tcp.ITWEB.WEBMD.CET.) 
>           |
> > >        SRV   IN    119         16    0     100            
>           |
> > > > 00 58 07 64 6e 79 64 63 30 32 c0 3f c0 0c 00 21         
>            |
> > >   88       dnydc02.             compression pointer to 
> offset 3f ----/
> > >                         (which is 0x64, which is not a 
> valid label).
> > > > 00 01 00 00 00 77 00 10 00 00 00 64 00 58 07 64
> > > > 6e 79 64 63 30 31 c0 3f c0 0c 00 21 00 01 00 00
> > > > 00 77 00 10 00 00 00 64 00 58 07 64 6e 6a 64 63
> > > > 30 32 c0 3f c0 0c 00 21 00 01 00 00 00 77 00 10
> > > > 00 00 00 64 00 58 07 64 6e 6a 64 63 30 31 c0 3f
> > > >
> > > > Thanks
> > > > LA
> > > >
> > > >
> > > >
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: 
> Mark_Andrews at isc.org
> > >
> > 
> > 
> > This is awesome!! How did you decode it?
> 
> 	The contents of a DNS packet are described in RFCs 1034 and
> 	RFC 1035.  It's a simple matter to just read the data.
> 
> > Now How do I fix it?
> 
> 	You fix the server (usually that means upgrade) that sent
> 	you the response and/or any middle box (nat/firewall) that
> 	mucked with the packets contents.
> 
> 	All the compression pointers in the SRV records are bad
> 	which rules out random packet corruption.  So you are looking
> 	at the software that wrote / re-wrote the DNS payload.
> 
> 	Mark
> > 
> > Thanks, LA
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
>

More information about the bind-users mailing list