[dns-operations] Strange 0.0.0.0.p.t.t.h.ip6.arpa. queries

Ask Bjørn Hansen ask at develooper.com
Tue Oct 9 07:39:42 UTC 2007 

[ I tried posting this on nanog a few days ago, but it didn't go  
through.  It was suggested that this might be the best place to ask  
anyway and since trying to post to nanog I figured it out, sorta ].

Hi everyone,

I run the pool.ntp.org system.   Many recent Linux (and others)  
distributions default to using {0,1,2,3}.pool.ntp.org for NTP  
services.    The pool system monitors about 1400 ntp servers that  
have volunteered to be part of the pool.   The DNS requests resolves  
to a random-ish selection of currently active and well-functioning  
NTP servers.  Viola - massively scaled NTP service.

Recently I changed the nameserver software for pool.ntp.org to give  
better answers to the queries and in the process I occasionally  
looked in the logs (woah - never look in your nameserver logs; what  
an amazing amount of bogus queries - I can't imagine how painful it  
must be to see the root-server traffic).

In particular we are getting a few hundred thousand PTR queries for  
"0.0.0.0.p.t.t.h.ip6.arpa." every hour to the pool.ntp.org servers  
({a,b,c,d,e}.ntpns.org).

After a bit of time staring at the log from my nameserver and tcpdump  
output I realized it is people trying to resolve "http://north- 
america.pool.ntp.org." (possibly with a broken request packet, I  
didn't look that closely).   Somehow Net::DNS::Nameserver translates  
that to a PTR request.

In any case it's a bad request -- we don't have a "http://north- 
america" host.   I'm not sure what the best to do with it would be  
though.   I could make my nameserver give them back a working IP  
address - since that'd be cached better it'd also lower the number of  
these queries to my nameserver.   But I'd rather not encourage the  
misconfigured clients.

   I could try to track down if someone made software with this  
particular misconfiguration; but with millions of users that's hard.

Any suggestions?   That's the operationally reasonable thing to do?

2007-10-05 22:31:43.792296500 193.162.153.170 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:43.795737500 193.162.153.162 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:43.907498500 62.254.206.205 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.141533500 68.87.85.100 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.434304500 68.87.73.243 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.769949500 200.47.10.93 |  
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN


  - ask

[1] http://geo.bitnames.com

-- 
http://develooper.com/ - http://askask.com/

More information about the dns-operations mailing list