[rbldnsd] v4-in-v6 queries seen in the wild

[Michael Tokarev]

08.01.2014 01:22, Alex Lasoriti wrote:
> I analyzed the flux of queries relative to IPv6 addresses that is
> currently coming to the Spamhaus mirrors  (even if at this stage
> every IPv6 query is still getting NXDOMAIN as answer and the IPv6
> service has not been announced yet... but of course mail servers
> don't know that and generate those queries anyway!).
>
> While their overall number is still very tiny, about 12% of them
> refer to IPs in ::ffff:0:0/96 - the so-called 'v4-in-v6' space
> (excluding queries for the test addresses).
>
> So there are some mail servers around that see IPv4 addresses
> embedded in an IPv6 framework rather than in their native form,
> and they send out IPv6 queries to get BL informations about
> these IPv4 addresses - without bothering to convert them into their
> native IPv4 representation.
>
> You see where I am going: right now, if a zone has both an IPv4 and
> an IPv6 dataset attached, these two spaces are treated as entirely
> separate and independent.  So, A.B.C.D may be listed but it's
> v6-in-v4 counterpart ::ffff:A.B.C.D may not be listed.  So a query for
> ::ffff:A.B.C.D will return NXDOMAIN and the mail will go through.

I'm travelling right now and don't have my normal access to things,
so just a quick reply.  Rbldnsd has a code to recognize v4-in-v6
addresses and to convert them to plain v4 form.  It is covered by
an ifdef, but I think it should be enabled by default.  The idea was
to list just v4 version as you normally do, and rbldnsd does the
Right Thing (tm) with the mapped addresses.

If you don't see it is working, -- maybe there's a just bug in there.
When I implemented it, I weren't able to actually test it, so have
no real idea whenever it actually works ;)

I'll check it out when I'll return (which will be around Jan-12).

Thanks,

/mjt