[AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect resolvers doing 'in-addr.arpa.com.au' requests?!
lathiat at bur.st
Tue Nov 24 20:43:44 EST 2009
On 24/11/2009, at 5:15 PM, Damien Gardner Jnr wrote:
> Howdy Folks,
> Not quite a normal email for this list, but oz-isp seems to have disappeared into the ether, and I figured my target audience is probably on this list anyway..
> I've got a little old box sitting in my rack which I'd completely forgotten about (oooooold shell server dating back 10+ years), which I got an email from one of the users about today.. Seems it'd filled it's /var up with BIND spitting out lots of refusals for repeated PTR lookups.. Ok, I've seen the occasional misdirected query (and there was that .jp ISP ~5 years ago who it took a * zone in DNS with a redirect to hello.jpg to get them to fix the DNS server list they were sending the DSL clients, but that was all 'normal' traffic), but this is just plain bizarre..
> Seems one of the guys using the box for 2ndary dns went and redelegated arpa.com.au over to using the box late last month.. Now that seems normal enough.. Until you look at the 30-40 requests/sec coming in from fairly large .au resolvers (resolv1.syd7.internode.on.net, yarrina.connect.com.au, warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au, dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com, syd-dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au, ns.mel.pacific.net.au, bware01.bur.connect.com.au, dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly 10.in-addr.arpa.com.au, as well as quite a host of other in-addr.arpa.com.au 'zones'..
> I've asked the person in question to get the box out of the dns servers for the domain ASAP, but it leaves me curious - why are these lookups happening? I'm assuming that the big ISP's (i'm seeing pretty much every large resolver in .au in the logs in just the last 30 mins!) aren't all mis-configuring their servers... - so does that mean that there are that many clients of these ISP's producing these requests? Rather boggles the imagination that there's that many misconfigured boxes out there... (seriously, how DO you mess something up enough that it queries in-addr.arpa.com.au ??)
> *confused* :)
Many web browsers and possibly even resolvers try to append ".com", ".com.au" etc to things that don't work - assuming they were mis-typed, I suspect you'll find theres some fairly specific bit of software being the main culprit here, and I'm not sure what it is, but it's fairly non surprising to me personally. I'd love to know what specifically is doing it, though.. i'm going to guess windows something.
More information about the AusNOG