RE: OT: lots of IPv6 DNS requests
Nameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record. A simple problem EASILY solved. thank all for help. i asked the registrar (gdynia.pl) to fix a problem with one of their DNS keeping very old data with dns3 still in place. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Ted Mittelstaedt wrote: -Original Message- From: Jon Radel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2008 6:15 AM To: Ted Mittelstaedt Cc: Wojciech Puchar; freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requests Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jon Radel Sent: Tuesday, June 10, 2008 4:02 PM To: Wojciech Puchar Cc: freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requests Nameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record. A simple problem EASILY solved. Why bother the owner of the misconfigured nameserver? Instead, simply insert a wildcard record to your namesever that hands out the IP number of the nastiest porno site you can find to any DNS query. After a few days the owners of the misconfigured nameservers or clients will go hunting for whatever is poisoning their cache. Problem solved. Ted Silly me, I've always believed that people setup nameservers because they want their resources to be found. Having one the parents of your zone point to a random machine of yours, It seemed that the OP's claim was that he had NOT asked the parents of his domain to point any nameserving to his machine. Yes. And I pointed out that he was WRONG, including in the message you responded to. I went so far as to send dig output showing the glue record that was causing his grief. It used to be that people would at times use random nameservers on the Internet that they discovered, rather than using their own ISP's nameserver. The advent of IP-based filtering for BIND which allows you to specify only non-recursive queries to be answered from IP blocks that are not your own, pretty much put a stop to that. But for whatever reason, sometimes you can't employ IP-based filtering, and you have to setup a nameserver to answer recursive queries from anyone, even though you may still only want the world to be making non-recursive queries to it. True, but quite beside the point. Anyway, those pesky people would quickly leave a server that denied all their requests alone, and if you'd actually read what the OP posted, you'd have noticed the "denied" at the end of every line from his logs that he found so disturbing. The suggestion to use wildcards to issue bogus responses is the general suggestion to "convince" goofballs on the Internet that happen to come across your recursive-query-responding nameserver that you do not want them to use to make recursive queries, to go elsewhere. Understood, true, but quite beside the point. Obviously if you intentionally are listing your nameserver in a parent zone, and you employ this trick, you will need to setup a new nameserver on a different IP and change the parent zone. I figured though, that anyone who knew what they were doing would have grasped that concept, however. You'd think, wouldn't you? which you then use to serve crap records, strikes me as somewhat counterproductive. And I really fail to see why whomever runs the parent zone would even notice. The OP claimed that he was getting an excessive number of DNS requests, implying that his parent was redirecting a lot of queries to him that he wasn't supposed to get. If his parent is doing that because they misconfigured their own nameserver, then anyone depending on their nameserver will get crap records back, and likely complain. He made no such claim at any time (at least in any e-mail that reached me privately or via the list). He was confused as to why random machines where hitting his closed nameserver at all. Do you honestly think lots of people are going to gang up on whomever runs his parent zone when they stop getting mail from the OP? Those that noticed would probably sigh a little sigh of relief that they'd no longer have to see the OP and me fussing at each other. I think the issue is that you are assuming his parent zone admins are doing the Correct Thing when they have configured their own nameservers. The OP was insistent that his parent zone admins were doing the Wrong Thing when they configured their own nameservers. Thus, my suggestion is essentially telling the OP that if he is so insistent that his parents are screwed up, then he can put his money where his mouth is and wildcard a porno site. Wow. You really have problems with reading comprehension, don't you? You have that more or less backwards. As we saw by his response to my suggestion, when the OP was challenged to do this, he rapidly backwatered. Since backwatering he no longer can claim (at least on this list) that his parent admins are idiots, and thus I assume is now op
Re: OT: lots of IPv6 DNS requests Was: Re:
Nothing impersonal; just trying to help. I'm a big advocate of getting rid of things you don't need to keep things simple. Sorry that wasn't the answer you were looking for... Camilo "Bono Vince Malum" > Date: Wed, 11 Jun 2008 10:13:47 -0400 > From: Jon Radel <[EMAIL PROTECTED]> > Subject: Re: OT: lots of IPv6 DNS requests Was: Re: > freebsd-questions > Digest, Vol 219, Issue 6 > To: [EMAIL PROTECTED] > Cc: freebsd-questions@freebsd.org > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Camilo Reyes wrote: > > The easiest way to deal with this is to disable IPv6 > on your kernel. > > There is a good guide here: > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html. > > > > Simply comment out the 'options INET6' line > from your config file. Also, > > you could give more information on what application is > generating those > > logs. For example, what services are you running? Is > this setup as a > > server? And things of that sort. > > Disabling things so the log messages stop and you can > pretend all the > brokenness has magically gone away is indeed the easiest > solution > sometimes. It's rarely a good one, particularly for > the long term. > Anyway, the OP actually uses IPv6 on his network, so this > is pretty much > akin to suggesting that he turn off his computer to keep > people from > bothering it. > > The log messages are from his DNS server; he uses it for > resolving and > some local stuff; the log entries are the result of queries > from random > machines being rejected; random machines are doing that > since at least > one of his parent nameservers is handing out the IPv6 > address of his > server against his wishes; eventually he'll realize > this is actually the > case; and maybe he'll be able to convince whomever runs > the parent > nameserver(s) to update the records for his zone. (Just to > cover the > rest of your questions. :-) > > --Jon Radel > -- next part -- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3283 bytes > Desc: S/MIME Cryptographic Signature > Url : > http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080611/86e3c1cf/smime-0001.bin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: OT: lots of IPv6 DNS requests
> -Original Message- > From: Jon Radel [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 11, 2008 6:15 AM > To: Ted Mittelstaedt > Cc: Wojciech Puchar; freebsd-questions@freebsd.org > Subject: Re: OT: lots of IPv6 DNS requests > > > Ted Mittelstaedt wrote: > > > > > >> -Original Message- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of Jon Radel > >> Sent: Tuesday, June 10, 2008 4:02 PM > >> To: Wojciech Puchar > >> Cc: freebsd-questions@freebsd.org > >> Subject: Re: OT: lots of IPv6 DNS requests > >> > > > >> Nameservers are hitting an address of yours. Therefore something is > >> probably handing out your address. Somebody (that would be me) has > >> looked up the address in question and even looked up the nameserver > >> which is handing out that address in a glue record. > > > > A simple problem EASILY solved. > > > > Why bother the owner of the misconfigured nameserver? > > > > Instead, simply insert a wildcard record to your namesever > > that hands out the IP number of the nastiest porno site you > > can find to any DNS query. > > > > After a few days the owners of the misconfigured nameservers > > or clients will go hunting for whatever is poisoning their cache. > > > > Problem solved. > > > > Ted > > Silly me, I've always believed that people setup nameservers because > they want their resources to be found. Having one the parents of your > zone point to a random machine of yours, It seemed that the OP's claim was that he had NOT asked the parents of his domain to point any nameserving to his machine. It used to be that people would at times use random nameservers on the Internet that they discovered, rather than using their own ISP's nameserver. The advent of IP-based filtering for BIND which allows you to specify only non-recursive queries to be answered from IP blocks that are not your own, pretty much put a stop to that. But for whatever reason, sometimes you can't employ IP-based filtering, and you have to setup a nameserver to answer recursive queries from anyone, even though you may still only want the world to be making non-recursive queries to it. The suggestion to use wildcards to issue bogus responses is the general suggestion to "convince" goofballs on the Internet that happen to come across your recursive-query-responding nameserver that you do not want them to use to make recursive queries, to go elsewhere. Obviously if you intentionally are listing your nameserver in a parent zone, and you employ this trick, you will need to setup a new nameserver on a different IP and change the parent zone. I figured though, that anyone who knew what they were doing would have grasped that concept, however. > which you then use to serve > crap records, strikes me as somewhat counterproductive. And I really > fail to see why whomever runs the parent zone would even notice. The OP claimed that he was getting an excessive number of DNS requests, implying that his parent was redirecting a lot of queries to him that he wasn't supposed to get. If his parent is doing that because they misconfigured their own nameserver, then anyone depending on their nameserver will get crap records back, and likely complain. I think the issue is that you are assuming his parent zone admins are doing the Correct Thing when they have configured their own nameservers. The OP was insistent that his parent zone admins were doing the Wrong Thing when they configured their own nameservers. Thus, my suggestion is essentially telling the OP that if he is so insistent that his parents are screwed up, then he can put his money where his mouth is and wildcard a porno site. As we saw by his response to my suggestion, when the OP was challenged to do this, he rapidly backwatered. Since backwatering he no longer can claim (at least on this list) that his parent admins are idiots, and thus I assume is now open to examining his own config a bit more closely. (which is what you were telling him to do all along) Sometimes if you want the horse to drink, you have to let them run in the opposite direction of the pond. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
$ dig @bilbo.nask.org.pl tensor.gdynia.pl ns so something is broken with my registrar. as other dns'es reports only 2 nameservers. host -t ns tensor.gdynia.pl dns.task.gda.pl reports 2 of them, and dns.task.gda.pl is main dns for gdynia.pl thank you for finally explaining things ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests Was: Re: freebsd-questions Digest, Vol 219, Issue 6
Camilo Reyes wrote: The easiest way to deal with this is to disable IPv6 on your kernel. There is a good guide here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html. Simply comment out the 'options INET6' line from your config file. Also, you could give more information on what application is generating those logs. For example, what services are you running? Is this setup as a server? And things of that sort. Disabling things so the log messages stop and you can pretend all the brokenness has magically gone away is indeed the easiest solution sometimes. It's rarely a good one, particularly for the long term. Anyway, the OP actually uses IPv6 on his network, so this is pretty much akin to suggesting that he turn off his computer to keep people from bothering it. The log messages are from his DNS server; he uses it for resolving and some local stuff; the log entries are the result of queries from random machines being rejected; random machines are doing that since at least one of his parent nameservers is handing out the IPv6 address of his server against his wishes; eventually he'll realize this is actually the case; and maybe he'll be able to convince whomever runs the parent nameserver(s) to update the records for his zone. (Just to cover the rest of your questions. :-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: pearl# dig dns3.tensor.gdynia.pl dns3.tensor.gdynia.pl. 21682 IN 2001:4070:101:2::1 that's funny because i have in my domain: dns3A 213.192.74.1 dns32001:4070:101::1 not :2::1 tried my secondary dns - the same. tried dig dns3.tensor.gdynia.pl from other server in poland - the same! any idea where this :2::1 can be kept. nowhere on my machines for sure. i did grep 2001:4070:101:2::1 /etc/namedb/*/* on both my primary and secondary dns - found only one position that defines wojtek.tensor.gdynia.pl nothing more. asked polish telecom DNS to look how it look from outside, got this dns3.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 which is OK. as you get :2::1 - any idea why? Sure thing. I know exactly why. I keep telling you why. You keep ignoring me. Frankly, I'm beginning to suspect that you're only pretending that you know how DNS works. You might want to research it a bit. Run this: $ dig @bilbo.nask.org.pl tensor.gdynia.pl ns ; <<>> DiG 9.4.2 <<>> @bilbo.nask.org.pl tensor.gdynia.pl ns ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45423 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;tensor.gdynia.pl. IN NS ;; AUTHORITY SECTION: tensor.gdynia.pl. 28800 IN NS dns2.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns3.tensor.gdynia.pl. ;; ADDITIONAL SECTION: dns.tensor.gdynia.pl. 28800 IN A 213.192.74.1 dns.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns2.tensor.gdynia.pl. 28800 IN A 83.18.148.142 dns2.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns3.tensor.gdynia.pl. 28800 IN A 83.12.228.78 dns3.tensor.gdynia.pl. 28800 IN 2001:4070:101:2::1 ;; Query time: 233 msec ;; SERVER: 195.187.245.51#53(195.187.245.51) ;; WHEN: Wed Jun 11 13:21:48 2008 ;; MSG SIZE rcvd: 222 over and over until you catch on to what it means. Once you understand that, then run this: $ dig @f-dns.pl. tensor.gdynia.pl ns ; <<>> DiG 9.4.2 <<>> @f-dns.pl. tensor.gdynia.pl ns ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13848 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;tensor.gdynia.pl. IN NS ;; AUTHORITY SECTION: gdynia.pl. 86400 IN NS dns2.task.gda.pl. gdynia.pl. 86400 IN NS bilbo.nask.org.pl. gdynia.pl. 86400 IN NS ns-pl.tpnet.pl. gdynia.pl. 86400 IN NS kirdan.warman.nask.pl. gdynia.pl. 86400 IN NS dns.task.gda.pl. ;; ADDITIONAL SECTION: dns.task.gda.pl.86400 IN A 153.19.250.100 dns2.task.gda.pl. 86400 IN A 212.77.97.222 ;; Query time: 131 msec ;; SERVER: 2001:1a68:0:10::189#53(2001:1a68:0:10::189) ;; WHEN: Wed Jun 11 13:30:16 2008 ;; MSG SIZE rcvd: 200 over and over until you realize why this means that the results of the first command actually matter. Or you could skip a step and run: $ dig @b-dns.pl. tensor.gdynia.pl ns ; <<>> DiG 9.4.2 <<>> @b-dns.pl. tensor.gdynia.pl ns ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10267 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;tensor.gdynia.pl. IN NS ;; AUTHORITY SECTION: tensor.gdynia.pl. 28800 IN NS dns3.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns2.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns.tensor.gdynia.pl. ;; ADDITIONAL SECTION: dns.tensor.gdynia.pl. 28800 IN A 213.192.74.1 dns.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns2.tensor.gdynia.pl. 28800 IN A 83.18.148.142 dns2.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns3.tensor.gdynia.pl. 28800 IN A 83.12.228.78 dns3.tensor.gdynia.pl. 28800 IN 2001:4070:101:2::1 ;; Query time: 138 msec ;; SERVER: 80.50.50.10#53(80.50.50.10) ;; WHEN: Wed Jun 11 13:32:09 2008 ;; MSG SIZE rcvd: 222 Basically, according to the root servers, pl has 8 nameservers, a-dns.pl through h-dns.pl. They give different answers when asked about gdynia.pl and tensor.gdynia.pl a: returns set of 5, including bilbo.nask.org.pl, which then returns the dreaded address b: returns set of 5 for gdynia.pl, BUT WHEN ASKED ABOUT TENSOR.GDYNIA.PL r
Re: OT: lots of IPv6 DNS requests
Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jon Radel Sent: Tuesday, June 10, 2008 4:02 PM To: Wojciech Puchar Cc: freebsd-questions@freebsd.org Subject: Re: OT: lots of IPv6 DNS requests Nameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record. A simple problem EASILY solved. Why bother the owner of the misconfigured nameserver? Instead, simply insert a wildcard record to your namesever that hands out the IP number of the nastiest porno site you can find to any DNS query. After a few days the owners of the misconfigured nameservers or clients will go hunting for whatever is poisoning their cache. Problem solved. Ted Silly me, I've always believed that people setup nameservers because they want their resources to be found. Having one the parents of your zone point to a random machine of yours, which you then use to serve crap records, strikes me as somewhat counterproductive. And I really fail to see why whomever runs the parent zone would even notice. So I rather suspect that the log messages which so traumatize Wojciech would continue. Problem not solved. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: lots of IPv6 DNS requests
Do a netstat -na | grep 53. This will help. Something is wrong with your setup if you are seeing undesirable results. all OK, on port 53 my named is listening. it is used as cache-only DNS for my computer and few others. yes i can just block out accesses from outside 2001:4070:101:2::/64 but i would like to know why they are asking at all! A couple of questions... are you using ONLY /64 prefixes? Whether they do or yes i do. 2001:4070:101::/64 and 2001:4070:101:2::/64 are different subnets ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: OT: lots of IPv6 DNS requests
can find to any DNS query. After a few days the owners of the misconfigured nameservers or clients will go hunting for whatever is poisoning their cache. Problem solved. Ted when i will be sure it is not my fault i would do this ;) but now i actually don't know where is a problem ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
pearl# dig dns3.tensor.gdynia.pl dns3.tensor.gdynia.pl. 21682 IN 2001:4070:101:2::1 that's funny because i have in my domain: dns3A 213.192.74.1 dns32001:4070:101::1 not :2::1 tried my secondary dns - the same. tried dig dns3.tensor.gdynia.pl from other server in poland - the same! any idea where this :2::1 can be kept. nowhere on my machines for sure. i did grep 2001:4070:101:2::1 /etc/namedb/*/* on both my primary and secondary dns - found only one position that defines wojtek.tensor.gdynia.pl nothing more. asked polish telecom DNS to look how it look from outside, got this dns3.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 which is OK. as you get :2::1 - any idea why? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: OT: lots of IPv6 DNS requests
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jon Radel > Sent: Tuesday, June 10, 2008 4:02 PM > To: Wojciech Puchar > Cc: freebsd-questions@freebsd.org > Subject: Re: OT: lots of IPv6 DNS requests > > > Nameservers are hitting an address of yours. Therefore something is > probably handing out your address. Somebody (that would be me) has > looked up the address in question and even looked up the nameserver > which is handing out that address in a glue record. A simple problem EASILY solved. Why bother the owner of the misconfigured nameserver? Instead, simply insert a wildcard record to your namesever that hands out the IP number of the nastiest porno site you can find to any DNS query. After a few days the owners of the misconfigured nameservers or clients will go hunting for whatever is poisoning their cache. Problem solved. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: no it is not! that's why i'm asking. Oh, for heaven's sake. We all know you like to shoot off your mouth. Now go back to my mail and read it ALL THE WAY THROUGH BEFORE YOU ANSWER AGAIN. Jeez. so maybe you should explain clearer because i do read what you write. In summary, what he means is this: You have a (perhaps legacy) DNS server running as dns3.tensor.gdynia.pl (RRs snipped for brevity): pearl# dig dns3.tensor.gdynia.pl dns3.tensor.gdynia.pl. 21682 IN 2001:4070:101:2::1 ...which appears to be the same IP address as your workstation. pearl# dig wojtek.tensor.gdynia.pl wojtek.tensor.gdynia.pl. 4732 IN 2001:4070:101:2::1 ...however, any attempt to gather information from dns3. simply fails, due to your administrative policy (named not allowing outside networks). I'm willing to bet that you will see attempts from 2607:f118::b6 (or ::b7) in your workstation logs as rejected for lookups. I don't see any reference to dns3. in the WHOIS, so perhaps it has been removed recently. Any provider who still has this dns3 server listed as a possible authoritative name server may round-robin to it and produce the logs on your workstation you are witnessing. It is very possible that this server is still listed as a NS for the domain and I just didn't look hard enough for it. FYI (IMHO), this type of question would be better suited for [EMAIL PROTECTED] You would likely have far more eyes on your question over there by people who focus primarily on this sort of thing. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 no it is not! that's why i'm asking. Oh, for heaven's sake. We all know you like to shoot off your mouth. Now go back to my mail and read it ALL THE WAY THROUGH BEFORE YOU ANSWER AGAIN. Jeez. so maybe you should explain clearer because i do read what you write. my computer isn't 2001:4070:101::1 nor 2001:4070:101:1::2 Understood; I already answered that question in the negative in my original e-mail in the part you trimmed out. Your computer is at 2001:4070:101:2::1, just like I said. As a bonus I told you which parent to your DNS zone is handing out a glue record for which nameserver with that address in it. Get in touch with the people who run that nameserver and ask them, pretty please, to make the delegation records for your zone look just like the records at the other parent nameservers. Really, go read my entire original message. All the way to the end. Actually look at all the IP addresses. Particularly the one from my log messages which I remark on with a "Hmmm...different IP address." Also realize, please, given your track record of telling people that what they're saying on this list is "nonsense" and "just marketing hype" and on and on, it really is rather strange for you to expect somebody to answer your beginner-level questions in nice, easy, beginner-level steps. Mind, I have no problem with your asking the question. Lord knows that I come up with some dumb questions of my own sometimes. But you do set yourself up as the all knowing expert on just about everything, so don't be surprised if people expect you to have some clue about what you're doing and capable of figuring out what dig output with the bad records in it means. Nameservers are hitting an address of yours. Therefore something is probably handing out your address. Somebody (that would be me) has looked up the address in question and even looked up the nameserver which is handing out that address in a glue record. All you do is get petulant about how the answer to what turns out to be a rhetorical question is, "no." D'oh; which I certainly hope translates properly. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: lots of IPv6 DNS requests
Jon Radel wrote: dns3.tensor.gdynia.pl. 28800 IN 2001:4070:101:2::1 Sorry Jon, I completely missed that the first time through ;) Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 no it is not! that's why i'm asking. Oh, for heaven's sake. We all know you like to shoot off your mouth. Now go back to my mail and read it ALL THE WAY THROUGH BEFORE YOU ANSWER AGAIN. Jeez. so maybe you should explain clearer because i do read what you write. my computer isn't 2001:4070:101::1 nor 2001:4070:101:1::2 Do a netstat -na | grep 53. This will help. Something is wrong with your setup if you are seeing undesirable results. A couple of questions... are you using ONLY /64 prefixes? Whether they do or not, do: 2001:4070:101:1:: and 2001:4070:101:2:: ...share a common physical local link? What flags of Neighbor Discovery are enabled on the devices on this link, and what on-link prefixes do you see (ndp -i interface, ndp -p)? This: Jun 10 17:13:50 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:241#60282: query (cache) 'wojtek.tensor.gdynia.pl/MX/IN' denied ...is someone within the 'Iowa Communications Network' trying to find an MX for what appears to be your workstation/mail server, by targeting your workstation directly for the DNS lookup. I don't have time to go research it myself right now, but do you use a registrar that provides IPv6 glue? What does your zone file state for NS servers? Do you have a rogue NS server on your network that was for development that got left on, and could be supplying incorrect results? It is very difficult to identify where this is broken if you don't respond with suggested output. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 no it is not! that's why i'm asking. Oh, for heaven's sake. We all know you like to shoot off your mouth. Now go back to my mail and read it ALL THE WAY THROUGH BEFORE YOU ANSWER AGAIN. Jeez. so maybe you should explain clearer because i do read what you write. my computer isn't 2001:4070:101::1 nor 2001:4070:101:1::2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: why they are asking? Because your computer is reachable on either dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 no it is not! that's why i'm asking. Oh, for heaven's sake. We all know you like to shoot off your mouth. Now go back to my mail and read it ALL THE WAY THROUGH BEFORE YOU ANSWER AGAIN. Jeez. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: lots of IPv6 DNS requests
why they are asking? Because your computer is reachable on either dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 no it is not! that's why i'm asking. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
2610:130:101:100:214:22ff:fe12:241#60282: query (cache) 'wojtek.tensor.gdynia.pl/MX/IN' denied Post: # ifconfig -a # netstat -na | grep 53 Looks like named may be listening publicly on IPv6, but then refusing the requests. yes it does. but allows requests only for limited set of addresses. Is dns.tensor.gdynia.pl the same box as wojtek.tensor.gdynia.pl? Did you make no it is NOT. that's why i'm asking! [EMAIL PROTECTED] ~]$ host dns.tensor.gdynia.pl dns.tensor.gdynia.pl has address 213.192.74.1 dns.tensor.gdynia.pl has IPv6 address 2001:4070:101::1 [EMAIL PROTECTED] ~]$ host dns2.tensor.gdynia.pl dns2.tensor.gdynia.pl has address 83.12.228.78 dns2.tensor.gdynia.pl has IPv6 address 2001:4070:101:1::2 [EMAIL PROTECTED] ~]$ host wojtek.tensor.gdynia.pl wojtek.tensor.gdynia.pl has IPv6 address 2001:4070:101:2::1 wojtek.tensor.gdynia.pl mail is handled by 20 tensor.gdynia.pl. wojtek.tensor.gdynia.pl mail is handled by 0 wojtek.tensor.gdynia.pl. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: Jun 10 17:14:32 wojtek named[909]: client 2001:4830:167d:5237::3:1#59882: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:32 wojtek named[909]: client 2001:4830:167d:5237::3:1#59882: query (cache) 'wojtek.tensor.gdynia.pl/ANY/IN' denied my computer is NOT set up as DNS server for any domain. why they are asking? Because your computer is reachable on either dns.tensor.gdynia.pl. 10800 IN 2001:4070:101::1 or dns2.tensor.gdynia.pl. 10732 IN 2001:4070:101:1::2 and that pesky set of parent zone DNS servers insists on handing those addresses out in NS records? Aha, found the matching log entries on my side: Jun 10 15:14:33 billow named[581]: client 192.168.43.18#45589: query: wojtek.tensor.gdynia.pl IN + Jun 10 15:14:33 billow named[581]: client 192.168.43.19#1873: query: wojtek.tensor.gdynia.pl IN ANY + Jun 10 15:14:34 billow named[581]: unexpected RCODE (REFUSED) resolving 'wojtek.tensor.gdynia.pl//IN': 2001:4070:101:2::1#53 Jun 10 15:14:34 billow named[581]: unexpected RCODE (REFUSED) resolving 'wojtek.tensor.gdynia.pl/ANY/IN': 2001:4070:101:2::1#53 Hmmm...different IP address. Hmmm. Hey, what about you look at what bilbo.nask.org.pl. is returning when asked for your nameservers: ;; AUTHORITY SECTION: tensor.gdynia.pl. 28800 IN NS dns2.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns3.tensor.gdynia.pl. tensor.gdynia.pl. 28800 IN NS dns.tensor.gdynia.pl. ;; ADDITIONAL SECTION: dns.tensor.gdynia.pl. 28800 IN A 213.192.74.1 dns.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns2.tensor.gdynia.pl. 28800 IN A 83.18.148.142 dns2.tensor.gdynia.pl. 28800 IN 2001:4070:101::1 dns3.tensor.gdynia.pl. 28800 IN A 83.12.228.78 dns3.tensor.gdynia.pl. 28800 IN 2001:4070:101:2::1 Inconsistent from some of your other parents. Might want to clean up a bit. ;-) --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: OT: lots of IPv6 DNS requests
Wojciech Puchar wrote: i'm getting lots of things like this in logs: Jun 10 17:13:50 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:241#60282: query (cache) 'wojtek.tensor.gdynia.pl/MX/IN' denied Post: # ifconfig -a # netstat -na | grep 53 Looks like named may be listening publicly on IPv6, but then refusing the requests. Is dns.tensor.gdynia.pl the same box as wojtek.tensor.gdynia.pl? Did you make any addressing changes around the time you started noticing this? Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
OT: lots of IPv6 DNS requests
i'm getting lots of things like this in logs: Jun 10 17:13:50 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:241#60282: query (cache) 'wojtek.tensor.gdynia.pl/MX/IN' denied Jun 10 17:13:52 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:265#60123: query (cache) 'dns2.tensor.gdynia.pl/A/IN' denied Jun 10 17:13:52 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:265#60123: query (cache) 'dns.tensor.gdynia.pl/A/IN' denied Jun 10 17:13:52 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:265#60123: query (cache) 'dns.tensor.gdynia.pl//IN' denied Jun 10 17:13:52 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:265#60123: query (cache) 'dns2.tensor.gdynia.pl//IN' denied Jun 10 17:13:53 wojtek named[909]: client 2610:130:101:100:214:22ff:fe12:265#60123: query (cache) 'wojtek.tensor.gdynia.pl/MX/IN' denied Jun 10 17:14:08 wojtek named[909]: client 2a01:170:102f::2#53539: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:12 wojtek named[909]: client 2001:648:2000:de::220#49152: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:13 wojtek named[909]: client 2001:6b0:b:2::10#63014: query (cache) 'dns.tensor.gdynia.pl/A/IN' denied Jun 10 17:14:13 wojtek named[909]: client 2001:6b0:b:2::10#63014: query (cache) 'dns.tensor.gdynia.pl//IN' denied Jun 10 17:14:13 wojtek named[909]: client 2001:6b0:b:2::10#63014: query (cache) 'dns2.tensor.gdynia.pl/A/IN' denied Jun 10 17:14:13 wojtek named[909]: client 2001:6b0:b:2::10#63014: query (cache) 'dns2.tensor.gdynia.pl//IN' denied Jun 10 17:14:22 wojtek named[909]: client 2001:470:1f08:251::2#46902: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:22 wojtek named[909]: client 2001:418:c01::5#53208: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:32 wojtek named[909]: client 2001:4830:167d:5237::3:1#59882: query (cache) 'wojtek.tensor.gdynia.pl//IN' denied Jun 10 17:14:32 wojtek named[909]: client 2001:4830:167d:5237::3:1#59882: query (cache) 'wojtek.tensor.gdynia.pl/ANY/IN' denied my computer is NOT set up as DNS server for any domain. why they are asking? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
