BIND in Windows - extra packets

Danny Mayer mayer at gis.net
Mon Apr 25 05:11:56 UTC 2005


At 06:30 PM 4/21/2005, Schelly, Neil wrote:
>I am relatively new to running BIND in a Windows environment with a new job
>I've started recently, but a problem has come to our attention in its use
>here and I'm hoping someone else has had previous experience with it.
>
>Essentially, I've duplicated this problem with several recent 9.2 and 9.3
>releases of BIND in Windows 2000 Server and Windows XP Pro.  Duplicating it
>is as easy as installing it with a blank named.conf file and directing your
>machine to use it for DNS lookups.  I cannot duplicate the problem with=
 BIND
>running in Linux.
>
>The problem is that DNS requests made to other DNS servers are followed
>almost instantaneously by another packet with no payload.  A packet capture
>shows one or two of these 64-byte UDP packets following the real request.
>It doesn't happen after every request, but a packet capture of 200 packets
>or so is bound to catch a few instances of this happening.  Ethereal shows
>these packets as "Malformed packets" because there's nothing in the actual
>packet payload to translate into a DNS request.  I can attach a packet
>capture demonstrating this if it helps anyone, but I don't know the list
>policy on sending out attachments.
>

I'm not aware of anything that would cause this. The Windows socket
implementation was designed to have equal functionality as the Unix
code and I would not expect it to be sending out extra packets. You didn't
say what version of BIND you were running on Linux. Try using the
server statement:

server ip_addr { edns no;};

where ip_addr is the address of the server you are trying to reach and see
if it still sends out the extra packets. I recall that PIX has problems with
EDNS packets. EDNS may have nothing to do with the problem but
you never know. I can't imagine how it would send out extra packets.
Are they going to the same address/port?

The list server will strip attachments so don't try and in any case I doubt
that a lot of people are interested. I usually recommend people put these
things on a web server and provide a URL, unless it's very short.

>The server itself is working fine as far as performing lookups and=
 returning
>the appropriate results.  The problem that we're having is that our DNS
>servers are causing the Cisco PIX firewall (belonging to a customer of=
 ours)
>to block traffic from our network.  The firewall is interpreting these
>extraneous packets as some type of DDOS.  I have been unable to find any
>mention of anyone having this problem before, but as I said, I have little
>experience running BIND in a Windows environment, so it could be normal.
>Also, since the server functions fine, it is unlikely that anyone would
>notice problems here - only by luck that we have.  I'm tempted to call it a
>bug and report it as such, but wanted to know if anyone has experienced it
>before and has some insight.

You may want to check that PIX can handle the EDNS0 packets. I've
never heard of this either but I never used ethereal to look at the packets
when it was under development.

Danny
>
>Regards,
>
>Neil J. Schelly
>Engineer, Network Operations
>
>G=F3mez, Inc.
>Enabling Performance Excellence
>T 781.768.2445
>M 508-410-4776
>nschelly at gomez.com <mailto:nschelly at gomez.com>
>www.gomez.com <http://www.gomez.com/>
>



More information about the bind-users mailing list