|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Teardrop2 - still getting DNS bad packets
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: Teardrop2 - still getting DNS bad packets
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Sun, 15 Mar 1998 11:33:50 -0500
- Comments: To: "kkleszynintercafe.krakow.pl" <kkleszynintercafe.krakow.pl>
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
207.240.24.115 is ns1.flycast.com. Their web server, www.flycast.com, uses a round robin DNS that contains 24 IP address'. I've spoken with their DNS administrator and we're of the opinion that the MS-NT DNS has a problem dealing with that many IP address' in response to a single A record. It would appear to me that having 24 IP address' returned would be against RFC 1035 (where I believe its stated the response should be no more than 255 characters total), but I'm not sure of this. If this were true, I would suspect a lot of DNS servers would be having the same problems, but so far I've only seen reports from MS-NT DNS servers. Maybe its the fact that they report the event in the Event Logger and non-MS DNS servers are just ignoring packets beyond what's acceptable?? This report surfaced first during the Teardrop2 attack, but the Flycast people (who sell a distributed web-based advertising scheme like double-click, and therefore are being hit by people hitting sites other than those that are obviously flycast.com) turned up this record around the beginning of February. I have seen no ill effects as a result of this, just the error being reported as "Informational" in the NT Event Logger. Maybe this was something implemented with the DNS-fix that is designed to help identify fragmented DNS packets (a problem that was discovered last year and fixed by the DNS-fix). If there is someone from the NT DNS team reading this maybe you could toss out some ideas. I sent a report of this to several contacts I had with the NT 4.0 DNS beta team (Rachid Ouchou and James Gilroy) but I haven't had a response from them yet. I can say this, after a long conversation with the DNS administrator at flycast.com I am convinced that they are not doing anything malicious here. Whether or not this is for or against the DNS RFCs is still a question in my mind, personally I think they've put too many entries in under a single name but I could be wrong. If the entry is permissible under the RFCs then there is obviously a problem with the MS-NT DNS, otherwise, we just need to point the Flycast folks to a defacto reference that shows they shouldn't be doing what they're doing. Cheers, Russ
- Prev by Date: Teardrop2 - still getting DNS bad packets
- Next by Date: Re: Teardrop2 - still getting DNS bad packets
- Prev by thread: Teardrop2 - still getting DNS bad packets
- Next by thread: Re: Teardrop2 - still getting DNS bad packets
- Index(es):