null DNS header on packets - AIX, excessive network traffic
Kevin Darcy
kcd at daimlerchrysler.com
Fri May 31 21:55:24 UTC 2002
asanders at cs.olemiss.edu wrote:
> I have a dns server (dns.mydomain.com) and a sendmail server
> (mailserver.mydomain.com) along with about 200 other servers not
> really in this picture. We have noticed that the DNS server is
> getting excessive traffic from the mail server. So I did a snoop:
>
> snoop -i /tmp/capt -t r | grep DNS
>
> Here is a sample of the output:
> 615 0.53065 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 616 0.53076 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
> 617 0.53095 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
> 618 0.53158 mailserver.mydomain.com -> dns.mydomain.com DNS C
> Ilford.com. Internet Addr ?
> 619 0.53187 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 620 0.53208 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 621 0.53210 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
>
> The question I have is what is the deal with packets like 616 & 617
> from the mail server and packet 619 from the dns server. By analyzing
> the individual packet using:
>
> snoop -i /tmp/capt -v -p616
>
> I get:
>
> ETHER: ----- Ether Header -----
> ETHER:
> ETHER: Packet 616 arrived at 10:26:10.82
> ETHER: Packet size = 54 bytes
> ETHER: Destination = 0:a0:c9:d1:da:e4,
> ETHER: Source = 8:0:20:a3:18:27, Sun
> ETHER: Ethertype = 0800 (IP)
> ETHER:
> IP: ----- IP Header -----
> IP:
> IP: Version = 4
> IP: Header length = 20 bytes
> IP: Type of service = 0x00
> IP: xxx. .... = 0 (precedence)
> IP: ...0 .... = normal delay
> IP: .... 0... = normal throughput
> IP: .... .0.. = normal reliability
> IP: Total length = 40 bytes
> IP: Identification = 60
> IP: Flags = 0x0
> IP: .0.. .... = may fragment
> IP: ..0. .... = last fragment
> IP: Fragment offset = 0 bytes
> IP: Time to live = 255 seconds/hops
> IP: Protocol = 6 (TCP)
> IP: Header checksum = 7da1
> IP: Source address = 141.129.10.7, mailserver.mydomain.com
> IP: Destination address = 164.103.2.3, dns.mydomain.com
> IP: No options
> IP:
> TCP: ----- TCP Header -----
> TCP:
> TCP: Source port = 50176
> TCP: Destination port = 53 (DNS)
> TCP: Sequence number = 285443549
> TCP: Acknowledgement number = 2876548548
> TCP: Data offset = 20 bytes
> TCP: Flags = 0x10
> TCP: ..0. .... = No urgent pointer
> TCP: ...1 .... = Acknowledgement
> TCP: .... 0... = No push
> TCP: .... .0.. = No reset
> TCP: .... ..0. = No Syn
> TCP: .... ...0 = No Fin
> TCP: Window = 33120
> TCP: Checksum = 0x4432
> TCP: Urgent pointer = 0
> TCP: No options
> TCP:
> DNS: ----- DNS: -----
> DNS:
> DNS: ""
> DNS:
>
> Notice the DSN header section is null. The packet reply from the DNS
> server is the same. There are many of the packets. Any insight would
> be greatly appreciated.
This is just an ACK packet on a TCP connection. I wouldn't expect to see
a DNS header here.
- Kevin
More information about the bind-users
mailing list