[rbldnsd] AAAA Queries?

Bri Bruns bruns at 2mbit.com
Fri Jul 28 17:42:26 MSD 2006 

On Friday, July 28, 2006 3:18 AM [EST], Michael Tokarev wrote:

> David Cary Hart wrote:
>> A mirror contact me about a large volume of AAAA queries from an ISP.
>> Can someone offer me a clue how and or why this would occur?
>>
>> Their log looks like:
>>
>> 10:46:32.002146 IP neutron.blast.net.3649 > mirror.xxx.com.domain:
>> 38739 AAAA? 228.231.101.81.prc.tqmcube.com. (48)
>>
>> I cannot figure out what is happening here.
>
> One *possible* cause is -- at least one version of Sendmail shipped
> with Solaris (9? 8? - I don't remember) issued AAAA queries to
> DNSBLs.  I've seen this behaviour exactly from Sendmail running on
> IPv6-enabled Solaris system - it was one of the reasons for writing
> rbldnsd in the first place, because rbldns from DJB - only relevant
> piece of software available at the time - refused to reply to such
> queries, resulting in repeated requests (because resolver didn't give
> up and repeated its queries) and eventually in dnsbl lookup timing
> out.  Rbldnsd do not refuse such queries, it correctly answer with
> either "valid domain but no data of requested type" or NXDOMAIN
> (depending if the listing exists for this IP or not).
>
> Again, this is only one possible explanation.  I haven't seen this bug
> (and I do consider it a bug) in a long time now, it was fixed quite
> quickly.
>
> But I am seeing alot of strange queries coming to public DNSBL
> nameservers I'm running.  Like, asking for "random" data types like
> MX, PTR and whatnot (in your example they're asking for AAAA), or
> using a DNSBL as RHSBL (like mx.example.com.list.dsbl.org A?), or
>  even stuff like 2].0.0.[127.list.dsbl.org A?
> (yes, with those ']' and '[' - they're reversing string
> representation of an IP address surrounded with []).
>
> That to say - there's really alot of fun stuff happening.  Alot of
> bugs
> in software (or configs) which are never fixed.  But amount of this
> noise is minor compared with "normal" queries.
>
> In your case, if you think those queries is too much, the only way to
> figure out and probably stop them is to contact the relevant parties
> (blast.net?) and ask for help.  Or just to deny queries from them..
> probably returning "listed" to everything (pssst.. it isn't me
> who's suggesting that, you never ever heard of me! ;)
>
> And no, rbldnsd can't be configured to return something fixed for a
> given type of queries.
>

Here's whats going on, and its very simple.  On machines with IPv6 
enabled and functioning, for example, a Linux box, the resolver queries 
go by default AAAA lookup, then a normal A lookup.  I can't remember 
why - I think it has something to do with an IPv6 related RFC, where 
IPv6 is supposed to be tried first before IPv4 unless the resolver 
library is explicitly told to do so otherwise.

Since all of my servers and dns servers are IPv6 enabled, this is what 
happens.  Currently, we can even accept AHBL dnsbl queries directed at 
one of the servers via IPv6 as well (the others either I dont have 
control over, or haven't had time to set it up).


-- 
Bri Bruns
The Summit Open Source Development Group
http://www.sosdg.org     /     http://www.ahbl.org

More information about the rbldnsd mailing list