[rbldnsd] AAAA Queries?

Michael Tokarev mjt at tls.msk.ru
Fri Jul 28 11:18:24 MSD 2006 

David Cary Hart wrote:
> A mirror contact me about a large volume of AAAA queries from an ISP.
> Can someone offer me a clue how and or why this would occur?
> 
> Their log looks like:
> 
> 10:46:32.002146 IP neutron.blast.net.3649 > mirror.xxx.com.domain: 38739 AAAA? 
> 228.231.101.81.prc.tqmcube.com. (48)
> 
> I cannot figure out what is happening here.

One *possible* cause is -- at least one version of Sendmail shipped with
Solaris (9? 8? - I don't remember) issued AAAA queries to DNSBLs.  I've
seen this behaviour exactly from Sendmail running on IPv6-enabled Solaris
system - it was one of the reasons for writing rbldnsd in the first place,
because rbldns from DJB - only relevant piece of software available at the
time - refused to reply to such queries, resulting in repeated requests
(because resolver didn't give up and repeated its queries) and eventually
in dnsbl lookup timing out.  Rbldnsd do not refuse such queries, it
correctly answer with either "valid domain but no data of requested type"
or NXDOMAIN (depending if the listing exists for this IP or not).

Again, this is only one possible explanation.  I haven't seen this bug
(and I do consider it a bug) in a long time now, it was fixed quite
quickly.

But I am seeing alot of strange queries coming to public DNSBL nameservers
I'm running.  Like, asking for "random" data types like MX, PTR and whatnot
(in your example they're asking for AAAA), or using a DNSBL as RHSBL
(like mx.example.com.list.dsbl.org A?), or even stuff like
  2].0.0.[127.list.dsbl.org A?
(yes, with those ']' and '[' - they're reversing string representation of
an IP address surrounded with []).

That to say - there's really alot of fun stuff happening.  Alot of bugs
in software (or configs) which are never fixed.  But amount of this noise
is minor compared with "normal" queries.

In your case, if you think those queries is too much, the only way to
figure out and probably stop them is to contact the relevant parties
(blast.net?) and ask for help.  Or just to deny queries from them..
probably returning "listed" to everything (pssst.. it isn't me
who's suggesting that, you never ever heard of me! ;)

And no, rbldnsd can't be configured to return something fixed for a
given type of queries.

/mjt

More information about the rbldnsd mailing list