I've come across something interesting in my named logs: 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied 00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied 00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied 00:16:38 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
where 216.58.37.216 is my IP address, assigned by my ISP and reverse resolved by my ISP's name servers. What is interesting is the fact that 205.166.76.12 are asking me (216.58.37.216) for the PTR for my address. Is this just broken NS software or are they (Nintendo, FWIW) doing something interesting, like giving everyone an opportunity to provide an rdns for their own IP address without everyone having to make classless in-addr.arpa delegation arrangements with their ISP (which mine refused to do)? It's kind of a neat concept if it's not just an accident of broken NS software. Has anyone else seen anything like this before? Is there some (proposed even) standard for doing this that I'm not aware of? In any case, now to the BIND part. It seems reasonable for me to answer that query, either with my own data or simply by allowing that query to recurse. I suppose I could create a zone for it and put some data in it for that one record if I wanted to provide my own data. But what if I just wanted to allow recursive queries on that name so that I simply returned whatever the proper NSes for it reports? I guess I could add a zone record for it with a forwarder(s) configured to the name's proper NSes, yes? But that means me having to maintain those forward records in tandem with my ISP playing musical NSes (which I don't expect but why create a possible maintenance headache). So how could I configure BIND to allow a query for 5.37.58.216.in- addr.arpa to be recursive for everyone, but of course, continue to disallow general open recursive querying for names not served here? Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users