[dns-operations] Strange queries

Duane Wessels wessels at packet-pushers.com
Tue Oct 9 15:48:29 UTC 2007

On Tue, 9 Oct 2007, Ask Bjørn Hansen said:

> After a bit of time staring at the log from my nameserver and tcpdump
> output I realized it is people trying to resolve "http://north-
> america.pool.ntp.org." (possibly with a broken request packet, I
> didn't look that closely).   Somehow Net::DNS::Nameserver translates
> that to a PTR request.

I checked and Net::DNS::Resolver does indeed assume that "http://foo"
is an IPv6 address and will generate a PTR query for it.  The
Net::DNS::Question documentation says

     RFC4291 and RFC4632 IP address/prefix notation is supported for
     queries in in-addr.arpa and ip6.arpa subdomains.

and the code uses this regex:

         my $reverse = dns_addr($qname) if $qname =~ m/\d$|[:\/]/o;

So URL-looking string will be treated as a reverse lookup.

But even if it didn't send a PTR query, it would probably send you
A queries for the URL.  Since you get so many queries, it seems
like someone is shipping a default ntp.conf file with the URL in
it, instead of the host name?

As you said, nameservers receive all kinds of junk and I expect
that confusing URLs for IPv6 addresses will be a common problem.
It would be nice if libraries like Net::DNS would detect the URL
and then return an error message, but I'm not too optimistic that
will happen.  i.e., I wouldn't blame Olaf for wanting to keep is
code pure and not put in a lot of hard-coded exceptions.

> In any case it's a bad request -- we don't have a "http://north-
> america" host.   I'm not sure what the best to do with it would be
> though.   I could make my nameserver give them back a working IP
> address - since that'd be cached better it'd also lower the number of
> these queries to my nameserver.   But I'd rather not encourage the
> misconfigured clients.

Since you're getting a PTR query, you probably can't return a working
IP address.  I mean, you could, but I'm not sure what Net::DNS or
the application would do with it.

If your goal is to reduce nameserver load then you could try creating
a "h.ip6.arpa" zone on your nameserver, and put in a wildcard PTR
record with a long TTL.

Duane W.

More information about the dns-operations mailing list