[This has no operational consequences, it is just idle curiosity.] A server receives a few packets/second coming from several IP addresses and querying ./NS (like in priming, or may be in some reflection attacks). The server was never a root server, of course.
What is interesting is that all these packets have two extra bytes at the end, after the class. The UDP length is correct, but the DNS content is not. I don't show you the output of tshark, because it ignores these extra bytes (but you can see them with Wireshark or other tools). I attached a small pcap. The source IP addresses (which may be spoofed) are all registered in China. Did anyone see these requests? Side question: what should the receiver do? tshark, as I said, drops these extra bytes, Wireshark flags no error (but displays the bytes). I did not test them with various DNS servers to see how they react. Ignoring the extra bytes in the name of the robustness principle? Instead, at least one DNS library rejects the packet as malformed.
extra-bytes.pcap
Description: application/vnd.tcpdump.pcap
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
