[AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect resolvers doing'in-addr.arpa.com.au' requests?!

Damien Gardner Jnr rendrag at rendrag.net
Wed Nov 25 12:34:11 EST 2009 

Yeah, when I grumbled at the guy who'd pointed it at my box, he just  
redelegated the dns back to the previous host's dns.. - apparently the  
domain was only up for some conference his client had a month or so  
ago, and was due to be taken down..

I emailed a couple of the 'small' sites who were making queries (i.e.  
came from mail.x.com.au where x == some small company), will see if I  
get any explanations on what was doing the querying..

On the upside, I have a fantastic list of probably most ISP/hosting  
providers in .au's dns caches :)  Would be interesting to test to see  
which are open for recursion :)

Cheers,

DG

On 25/11/2009, at 12:20 PM, Jay Mitchell wrote:

> Definitely something poked with the delegation of arpa.com.au.
>
> Take a look at:
>
> dig +trace arpa.com.au. SOA
>
> then
>
> dig @brigh.twoplums.com.au. arpa.com.au. SOA
>
> &
>
> dig @mutley.twoplums.com.au. arpa.com.au. SOA
>
> --jay
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dan Irwin
> Sent: Wednesday, 25 November 2009 10:23 AM
> To: Damien Gardner Jnr; ausnog at ausnog.net
> Subject: Re: [AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect  
> resolvers
> doing'in-addr.arpa.com.au' requests?!
>
> Is this behaviour from the dns resolver on windows systems?
>
> I recall that the windows xp resolver behaves oddly in some  
> situations.
> If it cannot resolve a name, it will append some portion of the
> computer's domain name to the requested name. If a lookup for
> "testmachine" fails, windows will lookup "testmachine.example.com",  
> and
> finally "testmachine.com". Perhaps this behaviour happens with  
> "reverse"
> lookups too, as forward and reverse lookups are not that different.
>
> Interestingly, I have noticed entries relating to arpa.com.au in some
> logs this morning:
>
>>   too many timeouts resolving 'arpa.com.au/NS' (in 'arpa.com.au'?):
> disabling EDNS: 8 Time(s)
>
> Regards,
>
> Dan
>
>
> ________________________________
>
> 	From: ausnog-bounces at lists.ausnog.net
> [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Damien Gardner  
> Jnr
> 	Sent: Tuesday, 24 November 2009 7:15 PM
> 	To: ausnog at ausnog.net
> 	Subject: [AusNOG] arpa.com.au.. wtf?? (telstra/optus/connect
> resolvers doing'in-addr.arpa.com.au' requests?!
> 	
> 	
> 	Howdy Folks,
>
> 	Not quite a normal email for this list, but oz-isp seems to have
> disappeared into the ether, and I figured my target audience is  
> probably
> on this list anyway..
>
> 	I've got a little old box sitting in my rack which I'd
> completely forgotten about (oooooold shell server dating back 10+
> years), which I got an email from one of the users about today.. Seems
> it'd filled it's /var up with BIND spitting out lots of refusals for
> repeated PTR lookups..  Ok, I've seen the occasional misdirected query
> (and there was that .jp ISP ~5 years ago who it took a * zone in DNS
> with a redirect to hello.jpg to get them to fix the DNS server list  
> they
> were sending the DSL clients, but that was all 'normal' traffic), but
> this is just plain bizarre..
>
> 	Seems one of the guys using the box for 2ndary dns went and
> redelegated arpa.com.au over to using the box late last month..  Now
> that seems normal enough..  Until you look at the 30-40 requests/sec
> coming in from fairly large .au resolvers
> (resolv1.syd7.internode.on.net, yarrina.connect.com.au,
> warrane.connect.com.au, ns2.on.net, GigEth8-0-0.ia4.optus.net.au,
> dns0.iseek.com.au, ns1.intellicentre.com.au, bld2.pao.opendns.com,
> syd-dnscache-01.brennanit.net.au, bne-dnscache-01.brennanit.net.au,
> ns.mel.pacific.net.au, bware01.bur.connect.com.au,
> dnsxx.yyy.optusnet.com.au, etc), for NS and PTR queries against mainly
> 10.in-addr.arpa.com.au, as well as quite a host of other
> in-addr.arpa.com.au 'zones'..
>
> 	I've asked the person in question to get the box out of the dns
> servers for the domain ASAP, but it leaves me curious - why are these
> lookups happening?  I'm assuming that the big ISP's (i'm seeing pretty
> much every large resolver in .au in the logs in just the last 30  
> mins!)
> aren't all mis-configuring their servers... - so does that mean that
> there are that many clients of these ISP's producing these requests?
> Rather boggles the imagination that there's that many misconfigured
> boxes out there... (seriously, how DO you mess something up enough  
> that
> it queries in-addr.arpa.com.au ??)
>
> 	*confused* :)
>
> 	Cheers,
>
> 	DG
>
> 		Damien Gardner Jnr
> 	VK2TDG. Dip EE. GradIEAust
> 	rendrag at rendrag.net -  http://www.rendrag.net.au/
> <http://www.rendrag.net/>
> 	--
> 	We rode on the winds of the rising storm,
> 	 We ran to the sounds of thunder.
> 	We danced among the lightning bolts,
> 	 and tore the world asunder
> 	
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

More information about the AusNOG mailing list