[dns-operations] Strange 0.0.0.0.p.t.t.h.ip6.arpa. queries
Duane Wessels
wessels at packet-pushers.com
Tue Oct 9 15:48:29 UTC 2007
On Tue, 9 Oct 2007, Ask Bjørn Hansen said:
> After a bit of time staring at the log from my nameserver and tcpdump
> output I realized it is people trying to resolve "http://north-
> america.pool.ntp.org." (possibly with a broken request packet, I
> didn't look that closely). Somehow Net::DNS::Nameserver translates
> that to a PTR request.
I checked and Net::DNS::Resolver does indeed assume that "http://foo"
is an IPv6 address and will generate a PTR query for it. The
Net::DNS::Question documentation says
RFC4291 and RFC4632 IP address/prefix notation is supported for
queries in in-addr.arpa and ip6.arpa subdomains.
and the code uses this regex:
my $reverse = dns_addr($qname) if $qname =~ m/\d$|[:\/]/o;
So URL-looking string will be treated as a reverse lookup.
But even if it didn't send a PTR query, it would probably send you
A queries for the URL. Since you get so many queries, it seems
like someone is shipping a default ntp.conf file with the URL in
it, instead of the host name?
As you said, nameservers receive all kinds of junk and I expect
that confusing URLs for IPv6 addresses will be a common problem.
It would be nice if libraries like Net::DNS would detect the URL
and then return an error message, but I'm not too optimistic that
will happen. i.e., I wouldn't blame Olaf for wanting to keep is
code pure and not put in a lot of hard-coded exceptions.
>
> In any case it's a bad request -- we don't have a "http://north-
> america" host. I'm not sure what the best to do with it would be
> though. I could make my nameserver give them back a working IP
> address - since that'd be cached better it'd also lower the number of
> these queries to my nameserver. But I'd rather not encourage the
> misconfigured clients.
Since you're getting a PTR query, you probably can't return a working
IP address. I mean, you could, but I'm not sure what Net::DNS or
the application would do with it.
If your goal is to reduce nameserver load then you could try creating
a "h.ip6.arpa" zone on your nameserver, and put in a wildcard PTR
record with a long TTL.
Duane W.
More information about the dns-operations
mailing list