DNS port Reserved Bit Set

Hi everyone,

My firewall gives this alert on the ntp server. Has anyone had this alert or know of a way to avoid it.

Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set

Thanks

Any IPv4 address on the Internet, and any notable IPv6 address, will receive scans and bad traffic.

Maybe your firewall’s documentation shows how to turn off this alert?

I haven’t investigated it, but my NTP servers receive a low rate of nonsensical, 48-byte packets on UDP port 53. Usually they’re seemingly from Google Cloud IP addresses. I assume they are NTP packets that have lost their way for some reason, but I haven’t picked them apart.

FYI, the DNS wire format contains one reserved bit that must be zero, labeled Z in this diagram:

                                           1  1  1  1  1  1
             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            |                      ID                       |
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

(RFC 2535 section 6.1. The RFC has been superseded and is obsolete. Don’t read it.)

If you compare it with an NTP packet, I suppose that location is bit 25, part of the precision field:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |LI | VN  |Mode |    Stratum    |     Poll      |  Precision    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

(RFC 5905 section 7.3 as corrected by erratum 4263.)

Hi mnordhoff,
I want to thank you for your comment. I’ve been analyzing all the information and it leads me to believe that it is a false positive generated by my router.

Thanks.

I assume this is likely DDoS traffic, using your NTP server as a reflector (not amplificator) to nuke away internet servers.
By sending packets with a spoofed source address of the victim and the source port of the service you want to take offline (in this case DNS), your NTP server will respond with a small packet.
Do this to all pool servers at a very low rate each, you will flood the victim with millions of packets, rendering the targeted service unreachable.