[AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect resolvers doing 'in-addr.arpa.com.au' requests?!

Damien Gardner Jnr rendrag at rendrag.net
Tue Nov 24 20:15:00 EST 2009 

Howdy Folks,

Not quite a normal email for this list, but oz-isp seems to have  
disappeared into the ether, and I figured my target audience is  
probably on this list anyway..

I've got a little old box sitting in my rack which I'd completely  
forgotten about (oooooold shell server dating back 10+ years), which I  
got an email from one of the users about today.. Seems it'd filled  
it's /var up with BIND spitting out lots of refusals for repeated PTR  
lookups..  Ok, I've seen the occasional misdirected query (and there  
was that .jp ISP ~5 years ago who it took a * zone in DNS with a  
redirect to hello.jpg to get them to fix the DNS server list they were  
sending the DSL clients, but that was all 'normal' traffic), but this  
is just plain bizarre..

Seems one of the guys using the box for 2ndary dns went and  
redelegated arpa.com.au over to using the box late last month..  Now  
that seems normal enough..  Until you look at the 30-40 requests/sec  
coming in from fairly large .au resolvers  
(resolv1.syd7.internode.on.net, yarrina.connect.com.au,  
warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au,  
dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com, syd- 
dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au,  
ns.mel.pacific.net.au, bware01.bur.connect.com.au,  
dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly  
10.in-addr.arpa.com.au, as well as quite a host of other in- 
addr.arpa.com.au 'zones'..

I've asked the person in question to get the box out of the dns  
servers for the domain ASAP, but it leaves me curious - why are these  
lookups happening?  I'm assuming that the big ISP's (i'm seeing pretty  
much every large resolver in .au in the logs in just the last 30  
mins!) aren't all mis-configuring their servers... - so does that mean  
that there are that many clients of these ISP's producing these  
requests?  Rather boggles the imagination that there's that many  
misconfigured boxes out there... (seriously, how DO you mess something  
up enough that it queries in-addr.arpa.com.au ??)

*confused* :)

Cheers,

DG

Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net -  http://www.rendrag.net.au/
--
We rode on the winds of the rising storm,
  We ran to the sounds of thunder.
We danced among the lightning bolts,
  and tore the world asunder

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20091124/de3bc2dd/attachment.html>

More information about the AusNOG mailing list