[dns-operations] Strange 0.0.0.0.p.t.t.h.ip6.arpa. queries

Ask Bjørn Hansen ask at develooper.com
Tue Oct 9 19:03:03 UTC 2007


On Oct 9, 2007, at 8:48, Duane Wessels wrote

>> After a bit of time staring at the log from my nameserver and tcpdump
>> output I realized it is people trying to resolve "http://north-
>> america.pool.ntp.org." (possibly with a broken request packet, I
>> didn't look that closely).   Somehow Net::DNS::Nameserver translates
>> that to a PTR request.
>
> I checked and Net::DNS::Resolver does indeed assume that "http://foo"
> is an IPv6 address and will generate a PTR query for it.  The
> Net::DNS::Question documentation says
>
>     RFC4291 and RFC4632 IP address/prefix notation is supported for
>     queries in in-addr.arpa and ip6.arpa subdomains.
>
> and the code uses this regex:
>
>         my $reverse = dns_addr($qname) if $qname =~ m/\d$|[:\/]/o;
>
> So URL-looking string will be treated as a reverse lookup.

Woah - that's nuts!  Thanks for looking this up for me....

> But even if it didn't send a PTR query, it would probably send you
> A queries for the URL.  Since you get so many queries, it seems
> like someone is shipping a default ntp.conf file with the URL in
> it, instead of the host name?

I suspect that Net::DNS somehow translates the A query into a PTR query.

I'll see if I can find time to write some tests and a patch.

It might make sense to try to do that when making queries, but it  
doesn't when using the code on the other side (as a server).

Thanks again.   Now I can get it fixed so at least I'll see just the  
misconfigured queries rather than misinterpreted misconfigured  
queries.  :-)

Btw, I'm leaning towards just supporting them; maybe have them be a  
CNAME to the proper record.


   - ask

-- 
http://develooper.com/ - http://askask.com/





More information about the dns-operations mailing list