In the process of changing the DNS software I occasionally looked in
the logs (woah - never look in your nameserver logs; what an amazing
amount of bogus queries - I can't imagine how painful it must be to
see the root-server traffic).
In particular we are getting a few hundred thousand PTR queries for
"0.0.0.0.p.t.t.h.ip6.arpa." every hour to the pool.ntp.org servers
({a,b,c,d,e}.ntpns.org).
After a bit of time staring at the log from my nameserver and tcpdump
output I realized it is people trying to resolve "http://north-
america.pool.ntp.org." (possibly with a broken request packet, I
didn't look that closely). Somehow Net::DNS::Nameserver translates
that to a PTR request.
In any case it's a bad request -- we don't have a "http://north-
america" host. I'm not sure what the best to do with it would be
though. I could make my nameserver give them back a working IP
address - since that'd be cached better it'd also lower the number of
these queries to my nameserver. But I'd rather not encourage the
misconfigured clients.
We could try to track down if someone made software with this
particular misconfiguration; but with millions of users that's hard.
Any suggestions? That's the operationally reasonable thing to do?
2007-10-05 22:31:43.792296500 193.162.153.170 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:43.795737500 193.162.153.162 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:43.907498500 62.254.206.205 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.141533500 68.87.85.100 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.434304500 68.87.73.243 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
2007-10-05 22:31:45.769949500 200.47.10.93 |
0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
- ask
--
http://develooper.com/ - http://askask.com/
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
