Re: DNS & IP address management
I am a noob here and I know we have failed to implement DNS scavenging which removes duplicate entries, not sure if its related to your issue. But if its not enabled on the dns server this can be troublesome. Sent via BT Email App From: Owen DeLong via NANOG Sent: 23 September 2021 02:45:27 BST To: Joel Sommers Cc: nanog@nanog.org Subject: Re: DNS & IP address management Many organizations will use their in-addr.arpa zone(s) as an alternative form of poor-man’s IPAM. It looks like you’ve come across some such organizations. Likely those are simply the free (unassigned) addresses within the organization. Likely there are other similar host names in other /24s in the same organization if they have more than a /24 of total address space. OTOH, organizations which do this tend to be relatively small as it doesn’t scale well to multiple administrators managing the same free pool. Owen On Sep 22, 2021, at 07:12 , Joel Sommers wrote: Hello all - I am a researcher at Colgate University, working with colleagues at the University of Wisconsin and Boston University on studying aspects of the DNS. We're wondering if anyone here would be willing to share some insight into an apparent IP address management practice we have observed that is evident through the DNS. In particular, we've seen a number of organizations that have a fairly large number of IPv4 addresses (typically all within the same /24 aggregate or similar) all associated with a single FQDN, where the name is typically something like "reserved.52net.example.tld". Besides the common "reserved" keyword in the FQDN, we also see names like "not-in-use.example.tld", again with quite a few addresses all mapped to that one name. The naming appears to suggest that this is an on-the-cheap IP address management practice, but we are wondering if there are other operational reasons that might be behind what we observe. Thank you for any insights you have -- please feel free to respond off-list. Regards, Joel Sommers
Re: DNS & IP address management
Many organizations will use their in-addr.arpa zone(s) as an alternative form of poor-man’s IPAM. It looks like you’ve come across some such organizations. Likely those are simply the free (unassigned) addresses within the organization. Likely there are other similar host names in other /24s in the same organization if they have more than a /24 of total address space. OTOH, organizations which do this tend to be relatively small as it doesn’t scale well to multiple administrators managing the same free pool. Owen > On Sep 22, 2021, at 07:12 , Joel Sommers wrote: > > Hello all - > > I am a researcher at Colgate University, working with colleagues at the > University of Wisconsin and Boston University on studying aspects of the DNS. > > We're wondering if anyone here would be willing to share some insight into an > apparent IP address management practice we have observed that is evident > through the DNS. In particular, we've seen a number of organizations that > have a fairly large number of IPv4 addresses (typically all within the same > /24 aggregate or similar) all associated with a single FQDN, where the name > is typically something like "reserved.52net.example.tld". Besides the common > "reserved" keyword in the FQDN, we also see names like > "not-in-use.example.tld", again with quite a few addresses all mapped to that > one name. The naming appears to suggest that this is an on-the-cheap IP > address management practice, but we are wondering if there are other > operational reasons that might be behind what we observe. > > Thank you for any insights you have -- please feel free to respond off-list. > > Regards, > Joel Sommers
Re: DNS & IP address management
On Wed, Sep 22, 2021 at 11:15 AM Andy Smith wrote: > Hi Joel, > > On Wed, Sep 22, 2021 at 10:12:26AM -0400, Joel Sommers wrote: > > Besides the common "reserved" keyword in the FQDN, we also see > > names like "not-in-use.example.tld", again with quite a few > > addresses all mapped to that one name. > > I assume you are seeing this by resolving the reverse DNS of each IP > address in the range. > > > The naming appears to suggest that this is an on-the-cheap IP > > address management practice, but we are wondering if there are > > other operational reasons that might be behind what we observe. > > The purpose is generally informational, for those without access to > the internal address management system (or quick hint to those who > do have access). > > If one sees traffic from such an IP address and then sees it > being marked as reserved or not in use, then one knows that > something is up, either with the presence of the traffic or the lack > of an update to the reverse mapping. If there had been simply no > reverse mapping then this information would not have been conveyed. > > It doesn't imply a lack of an address management system or an > attempt to use DNS to manage "on the cheap" - though it doesn't > exclude those possibilities either. > Yup. Some IPAM tools will generate / populate zone files with this sort of thing for you. This sort of thing used to be more common when people would use things like "101.92.140.39.dynamic.isp.com" or "cable-78-109-33-05.provider.net" to signal that the address was in use by dynamic customer (and so shouldn't be sending mail directly), "reserved-10.10.10.100.example.com" (or 'unused' or whatever) to signal that it isn't in use (and so shouldn't be sending mail at all), and "mx-17.exmaple.net" to signal that it is a "real" mailserver. I suspect that the "on the cheap" is more places that don't have working reverse DNS at all W > Thanks, > Andy > -- The computing scientist’s main challenge is not to get confused by the complexities of his own making. -- E. W. Dijkstra
Re: DNS & IP address management
Hi Joel, On Wed, Sep 22, 2021 at 10:12:26AM -0400, Joel Sommers wrote: > Besides the common "reserved" keyword in the FQDN, we also see > names like "not-in-use.example.tld", again with quite a few > addresses all mapped to that one name. I assume you are seeing this by resolving the reverse DNS of each IP address in the range. > The naming appears to suggest that this is an on-the-cheap IP > address management practice, but we are wondering if there are > other operational reasons that might be behind what we observe. The purpose is generally informational, for those without access to the internal address management system (or quick hint to those who do have access). If one sees traffic from such an IP address and then sees it being marked as reserved or not in use, then one knows that something is up, either with the presence of the traffic or the lack of an update to the reverse mapping. If there had been simply no reverse mapping then this information would not have been conveyed. It doesn't imply a lack of an address management system or an attempt to use DNS to manage "on the cheap" - though it doesn't exclude those possibilities either. Thanks, Andy
DNS & IP address management
Hello all - I am a researcher at Colgate University, working with colleagues at the University of Wisconsin and Boston University on studying aspects of the DNS. We're wondering if anyone here would be willing to share some insight into an apparent IP address management practice we have observed that is evident through the DNS. In particular, we've seen a number of organizations that have a fairly large number of IPv4 addresses (typically all within the same /24 aggregate or similar) all associated with a single FQDN, where the name is typically something like "reserved.52net.example.tld". Besides the common "reserved" keyword in the FQDN, we also see names like "not-in-use.example.tld", again with quite a few addresses all mapped to that one name. The naming appears to suggest that this is an on-the-cheap IP address management practice, but we are wondering if there are other operational reasons that might be behind what we observe. Thank you for any insights you have -- please feel free to respond off-list. Regards, Joel Sommers
