On Tue, October 9, 2007 09:25, Ask Bjørn Hansen wrote:
> In the process of changing the DNS software I occasionally looked in
> the logs (woah - never look in your nameserver logs; what an amazing
> amount of bogus queries - I can't imagine how painful it must be to
> see the root-server traffic).
>
> In particular we are getting a few hundred thousand PTR queries for
> "0.0.0.0.p.t.t.h.ip6.arpa." every hour to the pool.ntp.org servers
> ({a,b,c,d,e}.ntpns.org).
>
> After a bit of time staring at the log from my nameserver and tcpdump
> output I realized it is people trying to resolve "http://north-
> america.pool.ntp.org." (possibly with a broken request packet, I
> didn't look that closely). Somehow Net::DNS::Nameserver translates
> that to a PTR request.
Your nameserver is broken.
> In any case it's a bad request -- we don't have a "http://north-
> america" host. I'm not sure what the best to do with it would be
Aside from having "://" in it, the request's not bad...
> though. I could make my nameserver give them back a working IP
> address - since that'd be cached better it'd also lower the number of
> these queries to my nameserver. But I'd rather not encourage the
> misconfigured clients.
The correct response (NXDOMAIN) would be cached better.
> We could try to track down if someone made software with this
> particular misconfiguration; but with millions of users that's hard.
>
> Any suggestions? That's the operationally reasonable thing to do?
Fix the nameserver so it returns NXDOMAIN to the query instead of
inventing a PTR query? Perhaps this is a workaround in the server code
for some other client bug... which you could disable.
> 2007-10-05 22:31:43.792296500 193.162.153.170 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
> 2007-10-05 22:31:43.795737500 193.162.153.162 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
> 2007-10-05 22:31:43.907498500 62.254.206.205 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
> 2007-10-05 22:31:45.141533500 68.87.85.100 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
> 2007-10-05 22:31:45.434304500 68.87.73.243 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
> 2007-10-05 22:31:45.769949500 200.47.10.93 |
> 0.0.0.0.p.t.t.h.ip6.arpa. | PTR IN
--
Simon Arlott
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
