[AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect resolvers doing'in-addr.arpa.com.au' requests?!
Damien Gardner Jnr
rendrag at rendrag.net
Wed Nov 25 11:34:11 EST 2009
Yeah, when I grumbled at the guy who'd pointed it at my box, he just
redelegated the dns back to the previous host's dns.. - apparently the
domain was only up for some conference his client had a month or so
ago, and was due to be taken down..
I emailed a couple of the 'small' sites who were making queries (i.e.
came from mail.x.com.au where x == some small company), will see if I
get any explanations on what was doing the querying..
On the upside, I have a fantastic list of probably most ISP/hosting
providers in .au's dns caches :) Would be interesting to test to see
which are open for recursion :)
On 25/11/2009, at 12:20 PM, Jay Mitchell wrote:
> Definitely something poked with the delegation of arpa.com.au.
> Take a look at:
> dig +trace arpa.com.au. SOA
> dig @brigh.twoplums.com.au. arpa.com.au. SOA
> dig @mutley.twoplums.com.au. arpa.com.au. SOA
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dan Irwin
> Sent: Wednesday, 25 November 2009 10:23 AM
> To: Damien Gardner Jnr; ausnog at ausnog.net
> Subject: Re: [AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect
> doing'in-addr.arpa.com.au' requests?!
> Is this behaviour from the dns resolver on windows systems?
> I recall that the windows xp resolver behaves oddly in some
> If it cannot resolve a name, it will append some portion of the
> computer's domain name to the requested name. If a lookup for
> "testmachine" fails, windows will lookup "testmachine.example.com",
> finally "testmachine.com". Perhaps this behaviour happens with
> lookups too, as forward and reverse lookups are not that different.
> Interestingly, I have noticed entries relating to arpa.com.au in some
> logs this morning:
>> too many timeouts resolving 'arpa.com.au/NS' (in 'arpa.com.au'?):
> disabling EDNS: 8 Time(s)
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Damien Gardner
> Sent: Tuesday, 24 November 2009 7:15 PM
> To: ausnog at ausnog.net
> Subject: [AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect
> resolvers doing'in-addr.arpa.com.au' requests?!
> Howdy Folks,
> Not quite a normal email for this list, but oz-isp seems to have
> disappeared into the ether, and I figured my target audience is
> on this list anyway..
> I've got a little old box sitting in my rack which I'd
> completely forgotten about (oooooold shell server dating back 10+
> years), which I got an email from one of the users about today.. Seems
> it'd filled it's /var up with BIND spitting out lots of refusals for
> repeated PTR lookups.. Ok, I've seen the occasional misdirected query
> (and there was that .jp ISP ~5 years ago who it took a * zone in DNS
> with a redirect to hello.jpg to get them to fix the DNS server list
> were sending the DSL clients, but that was all 'normal' traffic), but
> this is just plain bizarre..
> Seems one of the guys using the box for 2ndary dns went and
> redelegated arpa.com.au over to using the box late last month.. Now
> that seems normal enough.. Until you look at the 30-40 requests/sec
> coming in from fairly large .au resolvers
> (resolv1.syd7.internode.on.net, yarrina.connect.com.au,
> warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au,
> dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com,
> syd-dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au,
> ns.mel.pacific.net.au, bware01.bur.connect.com.au,
> dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly
> 10.in-addr.arpa.com.au, as well as quite a host of other
> in-addr.arpa.com.au 'zones'..
> I've asked the person in question to get the box out of the dns
> servers for the domain ASAP, but it leaves me curious - why are these
> lookups happening? I'm assuming that the big ISP's (i'm seeing pretty
> much every large resolver in .au in the logs in just the last 30
> aren't all mis-configuring their servers... - so does that mean that
> there are that many clients of these ISP's producing these requests?
> Rather boggles the imagination that there's that many misconfigured
> boxes out there... (seriously, how DO you mess something up enough
> it queries in-addr.arpa.com.au ??)
> *confused* :)
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net - http://www.rendrag.net.au/
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
> AusNOG mailing list
> AusNOG at lists.ausnog.net
More information about the AusNOG