Ask Your Question
0

dns request, response malformed?

asked 2018-07-24 18:30:57 +0000

dreamgear gravatar image

updated 2018-07-24 21:00:52 +0000

Following are three DNS requests from a QNAP NAS device, and responses from a Samba 4.7 Internal DNS server. The first is straightforward enough, but on the second and third both the request and response are found to be "Malformed" by Wireshark. I'm wondering if this has to do with the problem I'm seen between my QNAP and my Samba DCs.

The capture file is here: https://drive.google.com/open?id=1qG4g0KwQlLESH9ec0oLoXo2ghcmB2WZw

Here's the first one, just asking for the LDAP SRV records for the domain, and getting the correct response:

No.     Time           Source          Destination           Protocol Length Info
      1 0.000000       wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS      89     Standard query 0x0000 SRV
_ldap._tcp.ma.seamanpaper.com

Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7) Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104) User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53) Domain Name System (query)

No.     Time           Source          Destination           Protocol Length Info
      2 0.001159       moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS  232    Standard query response 0x0000 SRV _ldap._tcp.ma.seamanpaper.com SRV 0 100 389 emu.ma.seamanpaper.com SRV 0 100 389 moa.ma.seamanpaper.com SRV 0 100 389 ava.ma.seamanpaper.com SRV 0 100 389 auk.ma.seamanpaper.com SOA moa.ma.seamanpaper.com

Frame 2: 232 bytes on wire (1856 bits), 232 bytes captured (1856 bits) on interface 0 Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59) Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152) User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429) Domain Name System (response)

Here's the second:

   No.     Time           Source                Destination           Protocol Length Info
         3 0.001255       wilkins3.intranet.seamanpaper.com auk.intranet.seamanpaper.com DNS      64     Standard query 0x0001[Malformed Packet]

    Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
    Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_a9:12:d7 (52:54:00:a9:12:d7)
    Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: auk.intranet.seamanpaper.com (192.168.10.109)
    User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
    Domain Name System (query)
    [Malformed Packet: DNS]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Malformed Packet (Exception occurred)]
            [Severity level: Error]
            [Group: Malformed]

    No.     Time           Source                Destination           Protocol Length Info
          4 0.001940       auk.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS      64     Standard query response 0x0001 Format error[Malformed Packet]

    Frame 4: 64 bytes on wire ...
(more)
edit retag flag offensive close merge delete

Comments

But enough to post a link to a capture file. Without that the question will remain open, text simply doesn't cut it.

Jaap gravatar imageJaap ( 2018-07-24 19:35:23 +0000 )edit

The capture file is here: https://drive.google.com/open?id=1qG4...

I started dissecting it by hand. It is doing a query for just the bare hostname of the domain controllers "moa" but it's malformed.. it has "03 62 6f 61" and then "c0" which afaik should be a zero. Does this make sense to anyone or should I talk to the samba folk? Many thanks!

dreamgear gravatar imagedreamgear ( 2018-07-24 19:51:40 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-07-25 04:50:58 +0000

Jaap gravatar image

The format of the queries in frame 3 and 5 is wrong. You've concluded that yourself, as well Wireshark, as well as the server, returning a response with the Format Error flag set. So, you should talk to the party that sends the ill-formatted queries.

edit flag offensive delete link more

Comments

Thanks, Jaap. I've opened a ticket with QNAP.

dreamgear gravatar imagedreamgear ( 2018-07-25 16:13:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-24 18:30:57 +0000

Seen: 5,515 times

Last updated: Jul 25 '18