On 09/10/07 15:48, der Mouse wrote: >> In the process of changing the DNS software I occasionally looked in >> the logs [...] > >> In particular we are getting a few hundred thousand PTR queries for >> "0.0.0.0.p.t.t.h.ip6.arpa." every hour [...] > >> After a bit of time staring at the log from my nameserver and tcpdump >> output I realized it is people trying to resolve >> "http://north-america.pool.ntp.org."; [...]. Somehow >> Net::DNS::Nameserver translates that to a PTR request. > > A *v6* PTR request. Not *too* surprising; it sort-of matches the > syntax of a v6 address. What I find baffling is that the pool.ntp.org > servers are seeing them; as far as I can tell, the ip6.arpa root does > not delegate p.t.t.h.ip6.arpa anywhere. (Also a bit surprising is that > it seems to be appending 16 0 bits, but not a full 112 0 bits.) > Presumably the pool.ntp.org is responsible for it, but it seems more > schizoid than I'd expect from even a perl module to take the > pool.ntp.org part and pick namesevers based on it, but then flip-flop > to doing an address-to-name lookup without re-finding nameservers.
It's the *pool nameserver* that is doing the bizarre A->PTR thing. >> We could try to track down if someone made software with this >> particular misconfiguration; but with millions of users that's hard. > > I think your only chance of finding it is to happen across an offender > address you have some kind of contact info for. I expect the queries will go down once the server stops responding with a modified query and SERVFAIL, and instead sends NXDOMAIN. -- Simon Arlott
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
