Re: [time] Strange 0.0.0.0.p.t.t.h.ip6.arpa. queries

Tue, 09 Oct 2007 08:00:25 -0700 

> In the process of changing the DNS software I occasionally looked in
> the logs [...]

> In particular we are getting a few hundred thousand PTR queries for
> "0.0.0.0.p.t.t.h.ip6.arpa." every hour [...]

> After a bit of time staring at the log from my nameserver and tcpdump
> output I realized it is people trying to resolve
> "http://north-america.pool.ntp.org."; [...].   Somehow
> Net::DNS::Nameserver translates that to a PTR request.

A *v6* PTR request.  Not *too* surprising; it sort-of matches the
syntax of a v6 address.  What I find baffling is that the pool.ntp.org
servers are seeing them; as far as I can tell, the ip6.arpa root does
not delegate p.t.t.h.ip6.arpa anywhere.  (Also a bit surprising is that
it seems to be appending 16 0 bits, but not a full 112 0 bits.)
Presumably the pool.ntp.org is responsible for it, but it seems more
schizoid than I'd expect from even a perl module to take the
pool.ntp.org part and pick namesevers based on it, but then flip-flop
to doing an address-to-name lookup without re-finding nameservers.

> I'm not sure what the best to do with it would be though.   I could
> make my nameserver give them back a working IP address

To a PTR query?  You *could* return a domain name that looks like a
dotted-quad IPv4 address in the usual textual representation, and
(given its other failings) it wouldn't surprise me to find that perl
module treating it like the IP address it textually resembles.
127.0.0.1. perhaps?

You could also return a valid PTR with a nonexistent name, such as . or
localhost. or some such.

Hmm, actually, you could return an answer section holding an A record
in resposne to a PTR query.  That's a bizarre enough thing to do that
I'm not sure what it would do.  If it shuts up the busted clients,
though, I have trouble seeing it as all bad....

> We could try to track down if someone made software with this
> particular misconfiguration; but with millions of users that's hard.

I think your only chance of finding it is to happen across an offender
address you have some kind of contact info for.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Reply via email to