dns request, response malformed?
Following are three DNS requests from a QNAP NAS device, and responses from a Samba 4.7 Internal DNS server. The first is straightforward enough, but on the second and third both the request and response are found to be "Malformed" by Wireshark. I'm wondering if this has to do with the problem I'm seen between my QNAP and my Samba DCs.
The capture file is here: https://drive.google.com/open?id=1qG4g0KwQlLESH9ec0oLoXo2ghcmB2WZw
Here's the first one, just asking for the LDAP SRV records for the domain, and getting the correct response:
No. Time Source Destination Protocol Length Info
1 0.000000 wilkins3.intranet.seamanpaper.com moa.intranet.seamanpaper.com DNS 89 Standard query 0x0000 SRV
_ldap._tcp.ma.seamanpaper.com
Frame 1: 89 bytes on wire (712 bits), 89 bytes captured (712 bits) on interface 0 Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7) Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: moa.intranet.seamanpaper.com (192.168.10.104) User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53) Domain Name System (query)
No. Time Source Destination Protocol Length Info
2 0.001159 moa.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS 232 Standard query response 0x0000 SRV _ldap._tcp.ma.seamanpaper.com SRV 0 100 389 emu.ma.seamanpaper.com SRV 0 100 389 moa.ma.seamanpaper.com SRV 0 100 389 ava.ma.seamanpaper.com SRV 0 100 389 auk.ma.seamanpaper.com SOA moa.ma.seamanpaper.com
Frame 2: 232 bytes on wire (1856 bits), 232 bytes captured (1856 bits) on interface 0 Ethernet II, Src: RealtekU_4b:a0:b7 (52:54:00:4b:a0:b7), Dst: Qnap_27:e2:59 (24:5e:be:27:e2:59) Internet Protocol Version 4, Src: moa.intranet.seamanpaper.com (192.168.10.104), Dst: wilkins3.intranet.seamanpaper.com (192.168.10.152) User Datagram Protocol, Src Port: domain (53), Dst Port: 40429 (40429) Domain Name System (response)
Here's the second:
No. Time Source Destination Protocol Length Info
3 0.001255 wilkins3.intranet.seamanpaper.com auk.intranet.seamanpaper.com DNS 64 Standard query 0x0001[Malformed Packet]
Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
Ethernet II, Src: Qnap_27:e2:59 (24:5e:be:27:e2:59), Dst: RealtekU_a9:12:d7 (52:54:00:a9:12:d7)
Internet Protocol Version 4, Src: wilkins3.intranet.seamanpaper.com (192.168.10.152), Dst: auk.intranet.seamanpaper.com (192.168.10.109)
User Datagram Protocol, Src Port: 40429 (40429), Dst Port: domain (53)
Domain Name System (query)
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
No. Time Source Destination Protocol Length Info
4 0.001940 auk.intranet.seamanpaper.com wilkins3.intranet.seamanpaper.com DNS 64 Standard query response 0x0001 Format error[Malformed Packet]
Frame 4: 64 bytes on wire ...
But enough to post a link to a capture file. Without that the question will remain open, text simply doesn't cut it.
The capture file is here: https://drive.google.com/open?id=1qG4...
I started dissecting it by hand. It is doing a query for just the bare hostname of the domain controllers "moa" but it's malformed.. it has "03 62 6f 61" and then "c0" which afaik should be a zero. Does this make sense to anyone or should I talk to the samba folk? Many thanks!