Message parser reports malformed message packet
Fábio Gomes
I'm having issues trying to resolve www.sondait.tasker.com.br. The result from dig +trace is as follows:
# dig www.sondait.tasker.com.br +trace
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.sondait.tasker.com.br +trace
;; global options: +cmd
. 516836 IN NS c.root-servers.net.
. 516836 IN NS a.root-servers.net.
. 516836 IN NS f.root-servers.net.
. 516836 IN NS i.root-servers.net.
. 516836 IN NS j.root-servers.net.
. 516836 IN NS b.root-servers.net.
. 516836 IN NS h.root-servers.net.
. 516836 IN NS k.root-servers.net.
. 516836 IN NS m.root-servers.net.
. 516836 IN NS l.root-servers.net.
. 516836 IN NS d.root-servers.net.
. 516836 IN NS e.root-servers.net.
. 516836 IN NS g.root-servers.net.
;; Received 512 bytes from 172.31.1.254#53(172.31.1.254) in 13 ms
br. 172800 IN NS a.dns.br.
br. 172800 IN NS b.dns.br.
br. 172800 IN NS c.dns.br.
br. 172800 IN NS d.dns.br.
br. 172800 IN NS e.dns.br.
br. 172800 IN NS f.dns.br.
;; Received 323 bytes from 192.203.230.10#53(192.203.230.10) in 139 ms
tasker.com.br. 86400 IN NS ns1.locaweb.com.br.
tasker.com.br. 86400 IN NS ns2.locaweb.com.br.
tasker.com.br. 86400 IN NS ns3.locaweb.com.br.
;; Received 153 bytes from 200.160.0.10#53(200.160.0.10) in 34 ms
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
;; Connection to 201.76.40.2#53(201.76.40.2) for www.sondait.tasker.com.br failed: connection refused.
;; Connection to 187.45.246.2#53(187.45.246.2) for www.sondait.tasker.com.br failed: connection refused.
;; Connection to 189.126.108.2#53(189.126.108.2) for www.sondait.tasker.com.br failed: connection refused.
I don't know where to start to solve this issue. Using my Internet provider's DNS I got a positive answer.
Could you please help me solve this issue?
Thanks in advance.
Mark Andrews
Their nameservers are broken. They are generating malformed
responses. They are sending partial records when the answer does
not fit. Note this ends halfway through a A record. Only the owner
name, class, type and the first two octets of the ttl are present
from the last RR.
Any records / rrsets added to a DNS QUERY response should be
*complete*.
I have CC'd postm...@locaweb.com.br but you may want to try other
channels to inform them that they have broken nameservers.
Mark
0x0000: 4500 021c 0000 4000 2c11 db95 c94c 2802 E.....@.,....L(.
0x0010: c0a8 bf44 0035 ddf6 0208 7e6c 5f9a 8600 ...D.5....~l_...
0x0020: 0001 0001 000d 000d 0377 7777 0773 6f6e .........www.son
0x0030: 6461 6974 0674 6173 6b65 7203 636f 6d02 dait.tasker.com.
0x0040: 6272 0000 0100 01c0 0c00 0500 0100 000e br..............
0x0050: 1000 2e10 7472 6961 6c2d 3139 3130 3037 ....trial-191007
0x0060: 3037 3639 0973 612d 6561 7374 2d31 0365 0769.sa-east-1.e
0x0070: 6c62 0961 6d61 7a6f 6e61 7773 0363 6f6d lb.amazonaws.com
0x0080: 0000 0002 0001 0007 e900 0014 0161 0c72 .............a.r
0x0090: 6f6f 742d 7365 7276 6572 7303 6e65 7400 oot-servers.net.
0x00a0: 0000 0200 0100 07e9 0000 0401 62c0 7200 ............b.r.
0x00b0: 0002 0001 0007 e900 0004 0163 c072 0000 ...........c.r..
0x00c0: 0200 0100 07e9 0000 0401 64c0 7200 0002 ..........d.r...
0x00d0: 0001 0007 e900 0004 0165 c072 0000 0200 .........e.r....
0x00e0: 0100 07e9 0000 0401 66c0 7200 0002 0001 ........f.r.....
0x00f0: 0007 e900 0004 0167 c072 0000 0200 0100 .......g.r......
0x0100: 07e9 0000 0401 68c0 7200 0002 0001 0007 ......h.r.......
0x0110: e900 0004 0169 c072 0000 0200 0100 07e9 .....i.r........
0x0120: 0000 0401 6ac0 7200 0002 0001 0007 e900 ....j.r.........
0x0130: 0004 016b c072 0000 0200 0100 07e9 0000 ...k.r..........
0x0140: 0401 6cc0 7200 0002 0001 0007 e900 0004 ..l.r...........
0x0150: 016d c072 c070 0001 0001 0036 ee80 0004 .m.r.p.....6....
0x0160: c629 0004 c08f 0001 0001 0036 ee80 0004 .).........6....
0x0170: c0e4 4fc9 c09e 0001 0001 0036 ee80 0004 ..O........6....
0x0180: c021 040c c0ad 0001 0001 0036 ee80 0004 .!.........6....
0x0190: 8008 0a5a c0bc 0001 0001 0036 ee80 0004 ...Z.......6....
0x01a0: c0cb e60a c0cb 0001 0001 0036 ee80 0004 ...........6....
0x01b0: c005 05f1 c0da 0001 0001 0036 ee80 0004 ...........6....
0x01c0: c070 2404 c0e9 0001 0001 0036 ee80 0004 .p$........6....
0x01d0: 803f 0235 c0f8 0001 0001 0036 ee80 0004 .?.5.......6....
0x01e0: c024 9411 c107 0001 0001 0036 ee80 0004 .$.........6....
0x01f0: c03a 801e c116 0001 0001 0036 ee80 0004 .:.........6....
0x0200: c100 0e81 c125 0001 0001 0036 ee80 0004 .....%.....6....
0x0210: c620 400c c134 0001 0001 0036 ..@..4.....6
;; Warning: Message parser reports malformed message packet.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58468
;; flags: qr aa tc; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; WARNING: Message has 6 extra bytes at end
;; QUESTION SECTION:
;www.sondait.tasker.com.br. IN A
;; ANSWER SECTION:
www.sondait.tasker.com.br. 3600 IN CNAME trial-1910070769.sa-east-1.elb.amazonaws.com.
;; AUTHORITY SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 128.8.10.90
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
i.root-servers.net. 3600000 IN A 192.36.148.17
j.root-servers.net. 3600000 IN A 192.58.128.30
k.root-servers.net. 3600000 IN A 193.0.14.129
l.root-servers.net. 3600000 IN A 198.32.64.12
;; Query time: 368 msec
;; SERVER: 201.76.40.2#53(201.76.40.2)
;; WHEN: Tue Nov 05 07:56:01 EST 2013
;; MSG SIZE rcvd: 512
In message <BLU172-W48A5D0159...@phx.gbl>, =?iso-8859-1?B?RuFiaW
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Matus UHLAR - fantomas
> I'm having issues trying to resolve www.sondait.tasker.com.br. The result from dig +trace is as follows:
>tasker.com.br. 86400 IN NS ns2.locaweb.com.br.
>tasker.com.br. 86400 IN NS ns3.locaweb.com.br.
>;; Received 153 bytes from 200.160.0.10#53(200.160.0.10) in 34 ms
>
>;; Warning: Message parser reports malformed message packet.
>;; Truncated, retrying in TCP mode.
>;; Connection to 201.76.40.2#53(201.76.40.2) for www.sondait.tasker.com.br failed: connection refused.
>;; Connection to 187.45.246.2#53(187.45.246.2) for www.sondait.tasker.com.br failed: connection refused.
>;; Connection to 189.126.108.2#53(189.126.108.2) for www.sondait.tasker.com.br failed: connection refused.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
I would expect root NS referrals to be in additional section, therefore not
causing truncation.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Fábio Gomes
I'm gonna try to contact the domain owners as well, but I noticed my enterprise DNS can get a correct answer for that domain. Is there any way I can force different response from localweb servers until I got this permanently fixed? Like force UDP packet sizes or disable EDNS for that domain? Could you also, please, share the tcpdump line you used to get that package details?
Regards
----------------------------------------
> To: flg...@hotmail.com
> CC: bind-...@isc.org
> CC: postm...@locaweb.com.br
> From: ma...@isc.org
> Subject: Re: Message parser reports malformed message packet
> Date: Tue, 5 Nov 2013 08:09:05 +1100
> ;; Warning: Message parser reports malformed message packet.
>
> ; <<>> DiG 9.10.0a1 <<>> www.sondait.tasker.com.br @201.76.40.2 +nodnssec +noedns +ignore +besteffort +all +norec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58468
> ;; flags: qr aa tc; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
> ;; WARNING: Message has 6 extra bytes at end
>
> ;; QUESTION SECTION:
> ;www.sondait.tasker.com.br. IN A
>
> ;; ANSWER SECTION:
> www.sondait.tasker.com.br. 3600 IN CNAME trial-1910070769.sa-east-1.elb.amazonaws.com.
>
> ;; AUTHORITY SECTION:
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS m.root-servers.net.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 3600000 IN A 198.41.0.4
> b.root-servers.net. 3600000 IN A 192.228.79.201
> c.root-servers.net. 3600000 IN A 192.33.4.12
> d.root-servers.net. 3600000 IN A 128.8.10.90
> e.root-servers.net. 3600000 IN A 192.203.230.10
> f.root-servers.net. 3600000 IN A 192.5.5.241
> g.root-servers.net. 3600000 IN A 192.112.36.4
> h.root-servers.net. 3600000 IN A 128.63.2.53
> i.root-servers.net. 3600000 IN A 192.36.148.17
> j.root-servers.net. 3600000 IN A 192.58.128.30
> k.root-servers.net. 3600000 IN A 193.0.14.129
> l.root-servers.net. 3600000 IN A 198.32.64.12
>
> ;; Query time: 368 msec
> ;; SERVER: 201.76.40.2#53(201.76.40.2)
> ;; WHEN: Tue Nov 05 07:56:01 EST 2013
> ;; MSG SIZE rcvd: 512
>
> In message <BLU172-W48A5D0159...@phx.gbl>, =?iso-8859-1?B?RuFiaW
> 8gR29tZXM=?= writes:
>> Hi,
>>
>> I'm having issues trying to resolve www.sondait.tasker.com.br. The
>> result from dig +trace is as follows:
>>
>>
>>
>> tasker.com.br. 86400 IN NS ns1.locaweb.com.br.
>> tasker.com.br. 86400 IN NS ns2.locaweb.com.br.
>> tasker.com.br. 86400 IN NS ns3.locaweb.com.br.
>> ;; Received 153 bytes from 200.160.0.10#53(200.160.0.10) in 34 ms
>>
>> ;; Warning: Message parser reports malformed message packet.
>> ;; Truncated, retrying in TCP mode.
>> ;; Connection to 201.76.40.2#53(201.76.40.2) for
>> www.sondait.tasker.com.br failed: connection refused.
>> ;; Connection to 187.45.246.2#53(187.45.246.2) for
>> www.sondait.tasker.com.br failed: connection refused.
>> ;; Connection to 189.126.108.2#53(189.126.108.2) for
>> www.sondait.tasker.com.br failed: connection refused.
>>
>>
Matus UHLAR - fantomas
>I'm gonna try to contact the domain owners as well, but I noticed my
> enterprise DNS can get a correct answer for that domain. Is there any way
> I can force different response from localweb servers until I got this
> permanently fixed? Like force UDP packet sizes or disable EDNS for that
> domain? Could you also, please, share the tcpdump line you used to get
> that package details?
with EDNS0)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If you need cookies, bake them yourself.
Mark Andrews
In message <BLU172-W5120E3BCB...@phx.gbl>, =?iso-8859-1?B?RuFiaW
8gR29tZXM=?= writes:
> Thank you, Mark.
> I'm gonna try to contact the domain owners as well, but I noticed my
> enterprise DNS can get a correct answer for that domain. Is there any
> way I can force different response from localweb servers until I got
> this permanently fixed?
> Like force UDP packet sizes or disable EDNS for that domain?
to get the entire response including additional records into the
UDP response.
Make sure your firewall passes fragmented packets and allows UDP
responses bigger than 512 bytes. If your firewall in blocking
fragements or UDP responses bigger than 512 bytes then named will
be forced back to 512 bytes which will the interact badly with this
nameserver.
> Could you also,
> please, share the tcpdump line you used to get that package details?
Fábio Gomes
>>>> ;; Warning: Message parser reports malformed message packet.
>>>> ;; Truncated, retrying in TCP mode.
>>>> ;; Connection to 201.76.40.2#53(201.76.40.2) for
>>>> www.sondait.tasker.com.br failed: connection refused.
Even if my firewalls are not allowing udp packages bigger than 512, the retry to port 53 should work. Right?
I'm trying to reach the my client's network team and check if their DNS servers are allowed to make outbound connections to port 53. Which seems it is not the case.
I'll reply to this thread once I contact the firewall's owner.
Thank you very much!
----------------------------------------
> To: flg...@hotmail.com
> CC: bind-...@isc.org
> From: ma...@isc.org
> Subject: Re: Message parser reports malformed message packet
> Date: Tue, 5 Nov 2013 23:33:39 +1100
Matus UHLAR - fantomas
>>>>> ;; Truncated, retrying in TCP mode.
>>>>> ;; Connection to 201.76.40.2#53(201.76.40.2) for
>>>>> www.sondait.tasker.com.br failed: connection refused.
>Even if my firewalls are not allowing udp packages bigger than 512, the
> retry to port 53 should work. Right?
replace that firewall. It's apparently the source of yor problems. DNS UDP
packets can be bigger than 512 bytes for more than 15 years.
DNS over TCP should still work, unless your firewall blocks those too...
>I'm trying to reach the my client's network team and check if their DNS
> servers are allowed to make outbound connections to port 53. Which seems
> it is not the case.
>
>I'll reply to this thread once I contact the firewall's owner.
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Mark Andrews
In message <20131105121...@fantomas.sk>, Matus UHLAR - fantomas writes:
> >I'm gonna try to contact the domain owners as well, but I noticed my
> > enterprise DNS can get a correct answer for that domain. Is there any way
> > I can force different response from localweb servers until I got this
> > permanently fixed? Like force UDP packet sizes or disable EDNS for that
> > that package details?
>
> with EDNS0)
problem is still visible.
Mark
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
;; Got answer:
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; Query time: 819 msec
;; SERVER: 201.76.40.2#53(201.76.40.2)
;; WHEN: Wed Nov 06 00:03:39 EST 2013
;; MSG SIZE rcvd: 520
> -- =
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If you need cookies, bake them yourself.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri=