[rbldnsd] v4-in-v6 queries seen in the wild

Alex Lasoriti lasoriti at spamteq.com
Mon Jun 30 19:32:13 MSK 2014 

On Wed, Jan 08, 2014 at 09:46:53AM +0200, Michael Tokarev wrote:
> 08.01.2014 01:22, Alex Lasoriti wrote:
> >I analyzed the flux of queries relative to IPv6 addresses that is
> >currently coming to the Spamhaus mirrors  (even if at this stage
> >every IPv6 query is still getting NXDOMAIN as answer and the IPv6
> >service has not been announced yet... but of course mail servers
> >don't know that and generate those queries anyway!).
> >
> >While their overall number is still very tiny, about 12% of them
> >refer to IPs in ::ffff:0:0/96 - the so-called 'v4-in-v6' space
> >(excluding queries for the test addresses).
> >
> >So there are some mail servers around that see IPv4 addresses
> >embedded in an IPv6 framework rather than in their native form,
> >and they send out IPv6 queries to get BL informations about
> >these IPv4 addresses - without bothering to convert them into their
> >native IPv4 representation.
> >
> >You see where I am going: right now, if a zone has both an IPv4 and
> >an IPv6 dataset attached, these two spaces are treated as entirely
> >separate and independent.  So, A.B.C.D may be listed but it's
> >v6-in-v4 counterpart ::ffff:A.B.C.D may not be listed.  So a query for
> >::ffff:A.B.C.D will return NXDOMAIN and the mail will go through.
> 
> I'm travelling right now and don't have my normal access to things,
> so just a quick reply.  Rbldnsd has a code to recognize v4-in-v6
> addresses and to convert them to plain v4 form.  It is covered by
> an ifdef, but I think it should be enabled by default.  The idea was
> to list just v4 version as you normally do, and rbldnsd does the
> Right Thing (tm) with the mapped addresses.
> 
> If you don't see it is working, -- maybe there's a just bug in there.
> When I implemented it, I weren't able to actually test it, so have
> no real idea whenever it actually works ;)
> 
> I'll check it out when I'll return (which will be around Jan-12).

Jun 12 you said ? :)

Also, what about the 6to4's (RFC3056) ? It would perhaps be nice if 
a listing for an IPv4 would automatically consider listed also
2002:V4ADDR::/48

Alex

More information about the rbldnsd mailing list