Odd DNS Traffic
Support Team
support at snworks.com
Wed Mar 26 21:00:38 UTC 2003
First I would like to note I am new to the list and group. It's nice to
be here.
Second, since Monday, March 24th at approx 1am we have been suffering
from "odd" DNS traffic to our two primary DNS servers. The odd traffic
has increased our bandwidth utilization by about 20 Mbps, which is
obviously putting a hurting on our network and our DNS servers.
I know this must also be affecting other networks, and if anything the
root servers. If anyone has any suggestions, etc, they would be much
appreciated.
Thank you,
Michael Mannella
Support Team
Synergy Networks, Inc.
Here are the symptoms:
============================================
The odd traffic started with the root servers, namely
(a-m).gtld-servers.net . Most of the traffic is still coming from them,
but other servers have also started sending us this odd traffic.
We have 3 dns servers, only two are being affected, they are our Primary
and Secondary servers that are listed with Network Solutions. The third
server (that is not being affected) is not listed with NetSol and has no
DNS records setup in it. It is strictly being used for lookups.
The odd traffic is listed as a "DNS Spoof attempt" on our firewall.
The odd traffic looks like this:
Rcv 192.48.79.30 0cbb R Q [0084 A NOERROR]
(8)Îҵĵ绰(3)COM(0)
UDP response info at 01ADC8BC
Socket = 380
Remote addr 192.48.79.30, port 53
Time Query=147367, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x010e (270)
Message:
XID 0x0cbb
Flags 0x8400
QR 1 (response)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x1
NSCOUNT 0xd
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(8)Îҵĵ绰(3)COM(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
Offset = 0x001e, RR count = 0
Name "[C00C](8)Îҵĵ绰(3)COM(0)"
TYPE A (1)
CLASS 1
TTL 300
DLEN 4
DATA 198.41.1.35
AUTHORITY SECTION:
Offset = 0x002e, RR count = 0
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 20
DATA (1)g(12)gtld-servers(3)net(0)
Offset = 0x004e, RR count = 1
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)h[C03C](12)gtld-servers(3)net(0)
Offset = 0x005e, RR count = 2
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)d[C03C](12)gtld-servers(3)net(0)
Offset = 0x006e, RR count = 3
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)j[C03C](12)gtld-servers(3)net(0)
Offset = 0x007e, RR count = 4
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)i[C03C](12)gtld-servers(3)net(0)
Offset = 0x008e, RR count = 5
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)l[C03C](12)gtld-servers(3)net(0)
Offset = 0x009e, RR count = 6
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)b[C03C](12)gtld-servers(3)net(0)
Offset = 0x00ae, RR count = 7
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)e[C03C](12)gtld-servers(3)net(0)
Offset = 0x00be, RR count = 8
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)a[C03C](12)gtld-servers(3)net(0)
Offset = 0x00ce, RR count = 9
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)k[C03C](12)gtld-servers(3)net(0)
Offset = 0x00de, RR count = 10
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)f[C03C](12)gtld-servers(3)net(0)
Offset = 0x00ee, RR count = 11
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)c[C03C](12)gtld-servers(3)net(0)
Offset = 0x00fe, RR count = 12
Name "[C015](3)COM(0)"
TYPE NS (2)
CLASS 1
TTL 172800
DLEN 4
DATA (1)m[C03C](12)gtld-servers(3)net(0)
ADDITIONAL SECTION:
The DNS server encountered an invalid domain name in a packet from
192.48.79.30. The packet is
rejected.
More information about the NANOG
mailing list