[rbldnsd] v4-in-v6 queries seen in the wild

Tue Jul 1 08:31:20 MSK 2014

30.06.2014 19:32, Alex Lasoriti wrote:
> On Wed, Jan 08, 2014 at 09:46:53AM +0200, Michael Tokarev wrote:
>> 08.01.2014 01:22, Alex Lasoriti wrote:
>>> I analyzed the flux of queries relative to IPv6 addresses that is
>>> currently coming to the Spamhaus mirrors  (even if at this stage
>>> every IPv6 query is still getting NXDOMAIN as answer and the IPv6
>>> service has not been announced yet... but of course mail servers
>>> don't know that and generate those queries anyway!).
>>>
>>> While their overall number is still very tiny, about 12% of them
>>> refer to IPs in ::ffff:0:0/96 - the so-called 'v4-in-v6' space
>>> (excluding queries for the test addresses).
>>>
>>> So there are some mail servers around that see IPv4 addresses
>>> embedded in an IPv6 framework rather than in their native form,
>>> and they send out IPv6 queries to get BL informations about
>>> these IPv4 addresses - without bothering to convert them into their
>>> native IPv4 representation.
>>>
>>> You see where I am going: right now, if a zone has both an IPv4 and
>>> an IPv6 dataset attached, these two spaces are treated as entirely
>>> separate and independent.  So, A.B.C.D may be listed but it's
>>> v6-in-v4 counterpart ::ffff:A.B.C.D may not be listed.  So a query for
>>> ::ffff:A.B.C.D will return NXDOMAIN and the mail will go through.
>>
>> I'm travelling right now and don't have my normal access to things,
>> so just a quick reply.  Rbldnsd has a code to recognize v4-in-v6
>> addresses and to convert them to plain v4 form.  It is covered by
>> an ifdef, but I think it should be enabled by default.  The idea was
>> to list just v4 version as you normally do, and rbldnsd does the
>> Right Thing (tm) with the mapped addresses.
>>
>> If you don't see it is working, -- maybe there's a just bug in there.
>> When I implemented it, I weren't able to actually test it, so have
>> no real idea whenever it actually works ;)
>>
>> I'll check it out when I'll return (which will be around Jan-12).
> 
> Jun 12 you said ? :)

Damn.  I merely forgot about this.  I was travelling at that time,
and didn't have my usual email tools handy, which I use to sort
things (what to do, what can wait etc), and ofcourse this email
ended in a big pile of other read things.

But your timing is excellent.  Because in 2 hours from now there will
be my flight to my summer vacation place (which happens to be
Mallorca, Spain), where I will be for 2 next weeks, until Jul-15.

Well, at least I do have my usual mail flow here, so I sorted it
into the real "todo" folder.  Maybe I'll be able to take a look
at this while on a beach... ;)

> Also, what about the 6to4's (RFC3056) ? It would perhaps be nice if 
> a listing for an IPv4 would automatically consider listed also
> 2002:V4ADDR::/48

Yes, and I think some variation of this theme is already supported.

Thanks,

/mjt