[dns-operations] Strange 0.0.0.0.p.t.t.h.ip6.arpa. queries
Ask Bjørn Hansen
ask at develooper.com
Tue Oct 9 19:03:03 UTC 2007
On Oct 9, 2007, at 8:48, Duane Wessels wrote
>> After a bit of time staring at the log from my nameserver and tcpdump
>> output I realized it is people trying to resolve "http://north-
>> america.pool.ntp.org." (possibly with a broken request packet, I
>> didn't look that closely). Somehow Net::DNS::Nameserver translates
>> that to a PTR request.
>
> I checked and Net::DNS::Resolver does indeed assume that "http://foo"
> is an IPv6 address and will generate a PTR query for it. The
> Net::DNS::Question documentation says
>
> RFC4291 and RFC4632 IP address/prefix notation is supported for
> queries in in-addr.arpa and ip6.arpa subdomains.
>
> and the code uses this regex:
>
> my $reverse = dns_addr($qname) if $qname =~ m/\d$|[:\/]/o;
>
> So URL-looking string will be treated as a reverse lookup.
Woah - that's nuts! Thanks for looking this up for me....
> But even if it didn't send a PTR query, it would probably send you
> A queries for the URL. Since you get so many queries, it seems
> like someone is shipping a default ntp.conf file with the URL in
> it, instead of the host name?
I suspect that Net::DNS somehow translates the A query into a PTR query.
I'll see if I can find time to write some tests and a patch.
It might make sense to try to do that when making queries, but it
doesn't when using the code on the other side (as a server).
Thanks again. Now I can get it fixed so at least I'll see just the
misconfigured queries rather than misinterpreted misconfigured
queries. :-)
Btw, I'm leaning towards just supporting them; maybe have them be a
CNAME to the proper record.
- ask
--
http://develooper.com/ - http://askask.com/
More information about the dns-operations
mailing list