[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Open Resolver List, New Orleans, etc..
On May 9, 2013, at 7:32 PM, Jon Lewis <jlewis at lewis.org> wrote:
> On Thu, 9 May 2013, Jared Mauch wrote:
>> Some interesting data: about 46% of the IPs that respond to a DNS query do not respond from port 53, meaning they are "broken" in some interesting way.
> Maybe I'm not being very imaginative, but how can something from !53 be considered a DNS response to a query sent to port 53? Can you give some examples of the sorts of packets that fall into this rather large % of ill-behaved hosts? Are you sure you're not treating things like icmp port unreachable as a "!udp/53 src response"?
Here's a sample excerpt:
I have the raw packet data for these. They were on a UDP socket, not some tcpdump output parsing snafu? :)
I have many more of these in the dataset. I'm thinking about flagging those that aren't from udp/53 and giving a pointer to things like CPE device firmware that causes problem. I've got a lot of private data on that which I can't share, either because the vendor is delivering fixed firmware or something else.