null DNS header on packets - AIX, excessive network traffic

Kevin Darcy kcd at daimlerchrysler.com
Mon Jun 3 20:12:26 UTC 2002


asanders at cs.olemiss.edu wrote:

> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<ad8rrp$d1gm$1 at isrv4.isc.org>...
> > asanders at cs.olemiss.edu wrote:
> >
> > > I have a dns server (dns.mydomain.com) and a sendmail server
> > > (mailserver.mydomain.com) along with about 200 other servers not
> > > really in this picture.  We have noticed that the DNS server is
> > > getting excessive traffic from the mail server.  So I did a snoop:
> > >
> > > snoop -i /tmp/capt -t r | grep DNS
> > >
> > > Here is a sample of the output:
> > > 615   0.53065 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 616   0.53076 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > > 617   0.53095 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > > 618   0.53158 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > Ilford.com. Internet Addr ?
> > > 619   0.53187 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 620   0.53208 dns.mydomain.com -> mailserver.mydomain.com DNS R
> > > port=50176
> > > 621   0.53210 mailserver.mydomain.com -> dns.mydomain.com DNS C
> > > port=50176
> > >
> > > The question I have is what is the deal with packets like 616 & 617
> > > from the mail server and packet 619 from the dns server.  By analyzing
> > > the individual packet using:
> > >
> > > snoop -i /tmp/capt -v -p616
> > >
> > > I get:
> > >
> > > ETHER:  ----- Ether Header -----
> > > ETHER:
> > > ETHER:  Packet 616 arrived at 10:26:10.82
> > > ETHER:  Packet size = 54 bytes
> > > ETHER:  Destination = 0:a0:c9:d1:da:e4,
> > > ETHER:  Source      = 8:0:20:a3:18:27, Sun
> > > ETHER:  Ethertype = 0800 (IP)
> > > ETHER:
> > > IP:   ----- IP Header -----
> > > IP:
> > > IP:   Version = 4
> > > IP:   Header length = 20 bytes
> > > IP:   Type of service = 0x00
> > > IP:         xxx. .... = 0 (precedence)
> > > IP:         ...0 .... = normal delay
> > > IP:         .... 0... = normal throughput
> > > IP:         .... .0.. = normal reliability
> > > IP:   Total length = 40 bytes
> > > IP:   Identification = 60
> > > IP:   Flags = 0x0
> > > IP:         .0.. .... = may fragment
> > > IP:         ..0. .... = last fragment
> > > IP:   Fragment offset = 0 bytes
> > > IP:   Time to live = 255 seconds/hops
> > > IP:   Protocol = 6 (TCP)
> > > IP:   Header checksum = 7da1
> > > IP:   Source address = 141.129.10.7, mailserver.mydomain.com
> > > IP:   Destination address = 164.103.2.3, dns.mydomain.com
> > > IP:   No options
> > > IP:
> > > TCP:  ----- TCP Header -----
> > > TCP:
> > > TCP:  Source port = 50176
> > > TCP:  Destination port = 53 (DNS)
> > > TCP:  Sequence number = 285443549
> > > TCP:  Acknowledgement number = 2876548548
> > > TCP:  Data offset = 20 bytes
> > > TCP:  Flags = 0x10
> > > TCP:        ..0. .... = No urgent pointer
> > > TCP:        ...1 .... = Acknowledgement
> > > TCP:        .... 0... = No push
> > > TCP:        .... .0.. = No reset
> > > TCP:        .... ..0. = No Syn
> > > TCP:        .... ...0 = No Fin
> > > TCP:  Window = 33120
> > > TCP:  Checksum = 0x4432
> > > TCP:  Urgent pointer = 0
> > > TCP:  No options
> > > TCP:
> > > DNS:  ----- DNS:   -----
> > > DNS:
> > > DNS:  ""
> > > DNS:
> > >
> > > Notice the DSN header section is null.  The packet reply from the DNS
> > > server is the same.  There are many of the packets.  Any insight would
> > > be greatly appreciated.
> >
> > This is just an ACK packet on a TCP connection. I wouldn't expect to see
> > a DNS header here.
> >
> >
> > - Kevin
>
> Thanks Keven.  Let me give you more details.  My dns group came to me
> saying that our mailserver was doing excessive zone transfers with the
> dns server--which makes no sense b/c our mailserver is not running
> bind or anything that would do a zone transfer.  So I am trying to
> find out what all of this communication is caused by.  On, my
> mailserver I just did a netstat -an and grep'd for the IP of our
> mailserver & for the IP of the dns server and there are 933
> connections between these 2 servers.  864 are in TIME_WAIT status.
> All connections are coming from differnent mail server ports around
> 40000 to the dns server on port 53 (where bind is running).  Got any
> ideas why there are so many connections?

Are they sure that these are zone transfers? Or, are they TCP connections to the DNS port that
your DNS folks are just *assuming* are zone transfers?

What mail software are you running, and how is it configured? It's conceivable that it might be
explicitly using TCP for DNS queries, for some extraterrestrial reason...


- Kevin




More information about the bind-users mailing list