DNS port Reserved Bit Set

Server operators
,
1

Hi everyone,

My firewall gives this alert on the ntp server. Has anyone had this alert or know of a way to avoid it.

Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set

Thanks

2

Any IPv4 address on the Internet, and any notable IPv6 address, will receive scans and bad traffic.

Maybe your firewall’s documentation shows how to turn off this alert?

I haven’t investigated it, but my NTP servers receive a low rate of nonsensical, 48-byte packets on UDP port 53. Usually they’re seemingly from Google Cloud IP addresses. I assume they are NTP packets that have lost their way for some reason, but I haven’t picked them apart.

FYI, the DNS wire format contains one reserved bit that must be zero, labeled Z in this diagram:

                                           1  1  1  1  1  1
             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            |                      ID                       |
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

(RFC 2535 section 6.1. The RFC has been superseded and is obsolete. Don’t read it.)

If you compare it with an NTP packet, I suppose that location is bit 25, part of the precision field:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |LI | VN  |Mode |    Stratum    |     Poll      |  Precision    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

(RFC 5905 section 7.3 as corrected by erratum 4263.)

3

Hi mnordhoff,
I want to thank you for your comment. I’ve been analyzing all the information and it leads me to believe that it is a false positive generated by my router.

Thanks.

4

I assume this is likely DDoS traffic, using your NTP server as a reflector (not amplificator) to nuke away internet servers.
By sending packets with a spoofed source address of the victim and the source port of the service you want to take offline (in this case DNS), your NTP server will respond with a small packet.
Do this to all pool servers at a very low rate each, you will flood the victim with millions of packets, rendering the targeted service unreachable.