null DNS header on packets - AIX, excessive network traffic

Kevin Darcy kcd at daimlerchrysler.com
Fri May 31 21:55:24 UTC 2002 

asanders at cs.olemiss.edu wrote:

> I have a dns server (dns.mydomain.com) and a sendmail server
> (mailserver.mydomain.com) along with about 200 other servers not
> really in this picture.  We have noticed that the DNS server is
> getting excessive traffic from the mail server.  So I did a snoop:
>
> snoop -i /tmp/capt -t r | grep DNS
>
> Here is a sample of the output:
> 615   0.53065 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 616   0.53076 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
> 617   0.53095 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
> 618   0.53158 mailserver.mydomain.com -> dns.mydomain.com DNS C
> Ilford.com. Internet Addr ?
> 619   0.53187 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 620   0.53208 dns.mydomain.com -> mailserver.mydomain.com DNS R
> port=50176
> 621   0.53210 mailserver.mydomain.com -> dns.mydomain.com DNS C
> port=50176
>
> The question I have is what is the deal with packets like 616 & 617
> from the mail server and packet 619 from the dns server.  By analyzing
> the individual packet using:
>
> snoop -i /tmp/capt -v -p616
>
> I get:
>
> ETHER:  ----- Ether Header -----
> ETHER:
> ETHER:  Packet 616 arrived at 10:26:10.82
> ETHER:  Packet size = 54 bytes
> ETHER:  Destination = 0:a0:c9:d1:da:e4,
> ETHER:  Source      = 8:0:20:a3:18:27, Sun
> ETHER:  Ethertype = 0800 (IP)
> ETHER:
> IP:   ----- IP Header -----
> IP:
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 40 bytes
> IP:   Identification = 60
> IP:   Flags = 0x0
> IP:         .0.. .... = may fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 255 seconds/hops
> IP:   Protocol = 6 (TCP)
> IP:   Header checksum = 7da1
> IP:   Source address = 141.129.10.7, mailserver.mydomain.com
> IP:   Destination address = 164.103.2.3, dns.mydomain.com
> IP:   No options
> IP:
> TCP:  ----- TCP Header -----
> TCP:
> TCP:  Source port = 50176
> TCP:  Destination port = 53 (DNS)
> TCP:  Sequence number = 285443549
> TCP:  Acknowledgement number = 2876548548
> TCP:  Data offset = 20 bytes
> TCP:  Flags = 0x10
> TCP:        ..0. .... = No urgent pointer
> TCP:        ...1 .... = Acknowledgement
> TCP:        .... 0... = No push
> TCP:        .... .0.. = No reset
> TCP:        .... ..0. = No Syn
> TCP:        .... ...0 = No Fin
> TCP:  Window = 33120
> TCP:  Checksum = 0x4432
> TCP:  Urgent pointer = 0
> TCP:  No options
> TCP:
> DNS:  ----- DNS:   -----
> DNS:
> DNS:  ""
> DNS:
>
> Notice the DSN header section is null.  The packet reply from the DNS
> server is the same.  There are many of the packets.  Any insight would
> be greatly appreciated.

This is just an ACK packet on a TCP connection. I wouldn't expect to see
a DNS header here.


- Kevin

More information about the bind-users mailing list