Re: [logs] strange DNS query's, familiar to anyone ?

From: Tina Bird (tbird@precision-guesswork.com)
Date: Tue Jul 16 2002 - 06:39:50 PDT

Next message: Fabio Pietrosanti (naif): "[logs] Security Monitoring software customization limit?"

Previous message: Marco van Berkum: "[logs] strange DNS query's, familiar to anyone ?"
In reply to: Marco van Berkum: "[logs] strange DNS query's, familiar to anyone ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 16 Jul 2002, Marco van Berkum wrote:

> Jul 16 14:43:23 obiwanken named[30114]: wrong ans. name
> (\\0016\\002.3\\00212\\003202\\007in-addr\\004arpa\\000\\000\\012\\000\\001\\192\\011\\000\\012\\000\\001\\000\\000\\168\\192\\000\\018\\006proxy6\\003psu\\002ac\\002th
> != 6.73.12.202.in-addr.arpa)
> Jul 16 14:43:26 obiwanken named[30114]: wrong ans. name
> (\\0016\\002.3\\00212\\003202\\007in-addr\\004arpa\\000\\000\\012\\000\\001\\192\\011\\000\\012\\000\\001\\000\\000\\168\\192\\000\\018\\006proxy6\\003psu\\002ac\\002th
> != 6.73.12.202.in-addr.arpa)

<message clipped for brevity>

This is a response-check message (see
http://triton.process.com/bind-docs/logging.html).  According to
http://www.isc.org/ml-archives/bind-users/2000/04/msg00610.html,

"Zoe Wianiak wrote:

> Apr 12 07:53:36 Shears named[107]: wrong ans.
>
name(\003144\00226\00212\007in-addr\004arpa\000\000\012\000\001\192\015\000\012\000\001\000\001Q\128\000\017\011topptelecom\003com
> !=                           238.144.26.12.in-addr.arpa)
>
> Could this be an attempt at a buffer overflow?

Unlikely. It's just named's cryptic way of saying it thinks it got a
144.26.12.in-addr.arpa answer to a 238.144.26.12.in-addr.arpa
question. The only reason it looks so big and nasty is because it's
showing the raw wire format of the answer it got, with all of the
non-printable characters escaped. But it's actually the same size as the
correct response would have been. In fact, it *is* the
correct response, except that a chunk of it has been shifted 4 bytes
backwards (which just so happened to have neatly trimmed the
initial "238." from the answer, otherwise named would have probably just
considered it a generic "malformed response"), with the
resulting gap filled by seemingly-random values. I don't think I've ever
seen corruption quite like that before. Given the nature of
the corruption, I consider it more likely a problem with the responding
server than with some network component.

Strangely, I'm not getting malformed responses from either
ns1.hydrogenmedia.net or ns2.hydrogenmedia.net, the authoritative servers
for 144.26.12.in-addr.arpa. So either you got this bogon from a forwarder
or the problem was only transient."  (Thanks to Kevin Darcy for his 4/2000
posting to the BIND users mailing list.)

I'm adding the BIND logging link to the Log Analysis Web site.  Remember,
Google is your friend...

HTH -- tbird

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Fabio Pietrosanti (naif): "[logs] Security Monitoring software customization limit?"
Previous message: Marco van Berkum: "[logs] strange DNS query's, familiar to anyone ?"
In reply to: Marco van Berkum: "[logs] strange DNS query's, familiar to anyone ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 06:45:59 PDT