<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Howdy Folks,<div><br></div><div>Not quite a normal email for this list, but oz-isp seems to have disappeared into the ether, and I figured my target audience is probably on this list anyway..</div><div><br></div><div>I've got a little old box sitting in my rack which I'd completely forgotten about (oooooold shell server dating back 10+ years), which I got an email from one of the users about today.. Seems it'd filled it's /var up with BIND spitting out lots of refusals for repeated PTR lookups.. Ok, I've seen the occasional misdirected query (and there was that .jp ISP ~5 years ago who it took a * zone in DNS with a redirect to hello.jpg to get them to fix the DNS server list they were sending the DSL clients, but that was all 'normal' traffic), but this is just plain bizarre..</div><div><br></div><div>Seems one of the guys using the box for 2ndary dns went and redelegated arpa.com.au over to using the box late last month.. Now that seems normal enough.. Until you look at the 30-40 requests/sec coming in from fairly large .au resolvers (resolv1.syd7.internode.on.net, yarrina.connect.com.au, warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au, dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com, syd-dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au, ns.mel.pacific.net.au, bware01.bur.connect.com.au, dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly 10.in-addr.arpa.com.au, as well as quite a host of other in-addr.arpa.com.au 'zones'..</div><div><br></div><div>I've asked the person in question to get the box out of the dns servers for the domain ASAP, but it leaves me curious - why are these lookups happening? I'm assuming that the big ISP's (i'm seeing pretty much every large resolver in .au in the logs in just the last 30 mins!) aren't all mis-configuring their servers... - so does that mean that there are that many clients of these ISP's producing these requests? Rather boggles the imagination that there's that many misconfigured boxes out there... (seriously, how DO you mess something up enough that it queries in-addr.arpa.com.au ??)</div><div><br></div><div>*confused* :)</div><div><br></div><div>Cheers,</div><div><br></div><div>DG</div><div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="font-size: 12px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net">rendrag@rendrag.net</a> - <a href="http://www.rendrag.net/">http://www.rendrag.net.au/</a><br>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder</div></div></span> </div><br></div></body></html>