Annoying network traffic
Eigil Bjorgum
Eigil.Bjorgum at microdesign.no
Wed Feb 18 17:01:16 GMT 1998
Hello all.
This is not a typical Samba question, but probably are of interest to those
of you with an expensive ISDN connection, and others as well.
I have the following scanario:
A couple of Win95 boxes, a NT 4.0/SP3 and a Solaris x86 running Samba.
The Solaris box is also running DNS. In addition I have a Cisco router for
the ISDN connection.
When I some time ago noticed that my router regularely generated calls to my
ISP, I suspected this to be traffic on the 137 and 139 ports. Easy match I
thought, just stop the packets from leaving the router, and did so.
But it didn't stop.
I have to add here that these packets wakes up the router in intervals of
approx 5 minutes. (I pay a connection fee each time plus another fee each
minute of connection time, and this adds up to a lot of money. It would be
cheaper to have a longer idle-timeout to keep the line live for 24 hours)
Next thing to try was to start a packet trace on the network. This was
definately surprise time! I have included a packet trace so you can see for
yourself. Most of the uninteresting crap are stripped off.
The string "0#SoftwareMicrosoftRpcClientProtocols\7MY\2DOMAIN\0" is supposed
to be a host name! The clue here is that a host with that name has never
existed on my network! It is the NT machine that is sending these crazy
requests to the DNS, and I cannot simply turn off the DNS traffic through
the router.
Comments continued between the DNS packets:
IP: Source address = 192.168.0.10, NT-400.MY.DOMAIN
IP: Destination address = 192.168.0.2, NAMESERVER.MY.DOMAIN
IP: No options
UDP: Source port = 2317
UDP: Destination port = 53 (DNS)
DNS:
"\1[\1\0\0\1\0\0\0\0\0\0#SoftwareMicrosoftRpcClientProtocols\7MY\2DOMAIN\0"
This is what happens:
The NT workstation send this packet and the DNS will of course not honor
this request as you se in the next packet. As far I can see, the Win95 boxes
are not generating requests like this.
IP: Source address = 192.168.0.2, NAMESERVER.MY.DOMAIN
IP: Destination address = 192.168.0.10, NT-400.MY.DOMAIN
IP: No options
UDP: Source port = 53
UDP: Destination port = 2317
DNS:
"\1[\205\203\0\1\0\0\0\1\0\0#SoftwareMicrosoftRpcClientProtocols\7MY\2DOMAIN
\0"
In the next packet, the NT strips off the domain name and tries again.
IP: Source address = 192.168.0.10, NT-400.MY.DOMAIN
IP: Destination address = 192.168.0.2, NAMESERVER.MY.DOMAIN
UDP: Source port = 2318
UDP: Destination port = 53 (DNS)
DNS:
"\1\\1\0\0\1\0\0\0\0\0\0#SoftwareMicrosoftRpcClientProtocols\0\0\1\0\1"
The DNS server then forwards the packet to one of the root domain servers.
IP: Source address = 192.168.0.2, NAMESERVER.MY.DOMAIN
IP: Destination address = 198.41.0.4, a.root-servers.net
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
DNS:
"\21\306\0\0\0\1\0\0\0\0\0\0#SoftwareMicrosoftRpcClientProtocols\0\0\1\0\1"
And get the answer back, not honored either.
IP: Source address = 198.41.0.4, a.root-servers.net
IP: Destination address = 192.168.0.2, NAMESERVER.MY.DOMAIN
UDP: Source port = 53
UDP: Destination port = 53 (DNS)
DNS:
"\21\306\204\3\0\1\0\0\0\1\0\0#SoftwareMicrosoftRpcClientProtocols\0\0\1\0\1
\0\0\6\0\1\0\1"
My DNS server then returns the answer to the NT machine.
IP: Source address = 192.168.0.2, NAMESERVER.DOMAIN.DOMAIN
IP: Destination address = 192.168.0.10, NT-400.MY.DOMAIN
UDP: Source port = 53
UDP: Destination port = 2318
DNS:
"\1\\205\203\0\1\0\0\0\1\0\0#SoftwareMicrosoftRpcClientProtocols\0\0\1\0\1\0
\0\6\0\1\0\1"
This is yet another protocol where Micro$oft abuses the standards.
I suspect my telephone company to have payed Bill Gates for this
functionality:-(
A part of the idea here was to reduce the remote DNS requests by using local
DNS to solve local names!
I have to admit that I haven't tried a lot of settings on my NT to get rid
of this, except for one thing. I turned OFF 'DNS for Wins Resolution' in the
TCP/IP properties. That seemed to help, but just for a while (1 day). Now it
has started again.
Any hints that can help this are appreciated, and I also ask the Samba
developers to think twice before implementing this behaviour in Samba.
Samba is great!
Best regards
--
Eigil
mailto:Eigil.Bjorgum at microdesign.no
More information about the samba
mailing list