[AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect resolvers doing'in-addr.arpa.com.au' requests?!
Dan Irwin
dan at jackies.com.au
Wed Nov 25 10:22:40 EST 2009
Is this behaviour from the dns resolver on windows systems?
I recall that the windows xp resolver behaves oddly in some situations.
If it cannot resolve a name, it will append some portion of the
computer's domain name to the requested name. If a lookup for
"testmachine" fails, windows will lookup "testmachine.example.com", and
finally "testmachine.com". Perhaps this behaviour happens with "reverse"
lookups too, as forward and reverse lookups are not that different.
Interestingly, I have noticed entries relating to arpa.com.au in some
logs this morning:
> too many timeouts resolving 'arpa.com.au/NS' (in 'arpa.com.au'?):
disabling EDNS: 8 Time(s)
Regards,
Dan
________________________________
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Damien Gardner Jnr
Sent: Tuesday, 24 November 2009 7:15 PM
To: ausnog at ausnog.net
Subject: [AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect
resolvers doing'in-addr.arpa.com.au' requests?!
Howdy Folks,
Not quite a normal email for this list, but oz-isp seems to have
disappeared into the ether, and I figured my target audience is probably
on this list anyway..
I've got a little old box sitting in my rack which I'd
completely forgotten about (oooooold shell server dating back 10+
years), which I got an email from one of the users about today.. Seems
it'd filled it's /var up with BIND spitting out lots of refusals for
repeated PTR lookups.. Ok, I've seen the occasional misdirected query
(and there was that .jp ISP ~5 years ago who it took a * zone in DNS
with a redirect to hello.jpg to get them to fix the DNS server list they
were sending the DSL clients, but that was all 'normal' traffic), but
this is just plain bizarre..
Seems one of the guys using the box for 2ndary dns went and
redelegated arpa.com.au over to using the box late last month.. Now
that seems normal enough.. Until you look at the 30-40 requests/sec
coming in from fairly large .au resolvers
(resolv1.syd7.internode.on.net, yarrina.connect.com.au,
warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au,
dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com,
syd-dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au,
ns.mel.pacific.net.au, bware01.bur.connect.com.au,
dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly
10.in-addr.arpa.com.au, as well as quite a host of other
in-addr.arpa.com.au 'zones'..
I've asked the person in question to get the box out of the dns
servers for the domain ASAP, but it leaves me curious - why are these
lookups happening? I'm assuming that the big ISP's (i'm seeing pretty
much every large resolver in .au in the logs in just the last 30 mins!)
aren't all mis-configuring their servers... - so does that mean that
there are that many clients of these ISP's producing these requests?
Rather boggles the imagination that there's that many misconfigured
boxes out there... (seriously, how DO you mess something up enough that
it queries in-addr.arpa.com.au ??)
*confused* :)
Cheers,
DG
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net - http://www.rendrag.net.au/
<http://www.rendrag.net/>
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder
More information about the AusNOG
mailing list