|Multiple sites have reporting seeing strange DNS packets in their traces with the form:
172.20.42.160 > dns-server.53: 0 [0q] Type0 (Class 0)? . (36)
The following is an early analysis by Howard Kash
This is a malformed DNS query with a query ID of 0, no questions, undefined query type 0, and undefined query class 0.
Further research reveals the following full packet trace (these are FDDI packets, so the IP header starts after byte 8):
10:10:13.558969 172.20.78.200.2400 >
There are always three queries with the query id equal to 0, 256, and 512. All other bytes in the DNS packet are null. The DNS server responds with a format error. One other distinguishing factor is that the starting source port number is always divisable by 100 (e.g. 2000, 2900, 3300, etc.) and increments by one for each of the three packets. Also, the DNS packet size in always 36 bytes.
Digging deeper, it appears they are also using TCP:
20:30:15.070616 172.20.78.202.3000 > dns-server.53: S
Same source port pattern, and payload of SYN packet is always 64 null bytes. The connection is immediately reset after SYN ACK.
And even ICMP:
09:30:55.558457 172.20.78.200 >
When asked about the traffic (Thanks Judy!) one of the offending ISPs sent the following boilerplate response:
Someone within your domain requested content from one of our clients. We do global load balancing and geographic routing based on QOS algorithms. We are using 3DNS servers by F5 Labs to acomplish global load balancing and geographic routing. What you are seeing are our 3DNS servers probing to gain performance statistics from your local DNS. The 3DNS server caches all LDNS statistics and path information from people hitting us, and continuously monitors performance between our architectures. The 3DNS servers use this information to resolve you to the closest location to connect to us. Giving the end user the fastest and best path to our multiple locations. This is the cause of the picture you see. The two IPs are Primary and Secondary DNS or shared interfaces, respectively.
We are not the developers of these fast emerging technologies and these are by no means new. We have leveraged the best technologies in these areas for over two and a half years now and as nice as they are for the delivery side, I understand the misunderstandings from the network admins in networks that are maintaining user-based Internet traffic.
If you would like additional information on these products you can go to the F5 Web site at http://www.f5.com.
I'm still skeptical, but it's the only logical explanation I can find. The packets appear to be harmless, but very persistant.