PTR-Queries asking for type A or AAAA
Hello, today I noticed, that my DNS servers are getting a noticable amount of DNS queries for my IPv4 reverse zone, asking for type A or AAAA. Example with tcpdump: 22:22:06.019962 IP 160.45.8.8.45341 > 172.29.56.218.53: 34558 [1au] A? y.x.144.217.in-addr.arpa. (57) 22:22:06.129485 IP 160.45.41.8.55855 > 172.29.56.218.53: 12449% [1au] A? y.x.144.217.in-addr.arpa. (57) 22:22:12.571720 IP 160.45.113.3.11019 > 172.29.56.218.53: 15364 [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:22:13.571228 IP 160.45.41.4.57403 > 172.29.56.218.53: 11276 [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:22:14.561769 IP 160.45.113.3.1159 > 172.29.56.218.53: 16591% [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:22:17.172626 IP 160.45.8.8.34605 > 172.29.56.218.53: 10352 [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:22:17.281042 IP 160.45.41.8.56158 > 172.29.56.218.53: 32812% [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:30:09.386217 IP 134.169.34.26.52144 > 172.29.56.218.53: 29463% [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:30:09.539619 IP 134.169.34.56.59778 > 172.29.56.218.53: 63208% [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:30:09.699493 IP 134.169.34.26.63325 > 172.29.56.218.53: 25399% [1au] A? y.x.144.217.in-addr.arpa. (57) 22:30:09.859583 IP 134.169.34.56.41423 > 172.29.56.218.53: 23848% [1au] A? y.x.144.217.in-addr.arpa. (57) 22:30:19.200884 IP 139.17.128.10.65059 > 172.29.56.218.53: 37206 [1au] AAAA? y.x.144.217.in-addr.arpa. (57) 22:30:20.694596 IP 213.136.95.10.42215 > 172.29.56.218.53: 13396% [1au] A? y.x.144.217.in-addr.arpa. (57) The top queries are for the IP address of my NTP pool server, the other one is for the IP of my primary DNS server. These are originating from several IP addresses, sometimes also Google DNS and DNS resolvers of universities. I've never suffered any problems with my PTR zone and there are enough legitimate queries to prove me that the zone is working as it should... Is this "normal background noise" or could that be caused by a malformed DNS zone? Or is anyone else seeing those weird queries? Thanks! Greetings from Wuppertal Max
today I noticed, that my DNS servers are getting a noticable amount of DNS queries for my IPv4 reverse zone, asking for type A or AAAA.
how strange, as a reverse zone should pretty much be all PTRs randy
Randy Bush <randy@psg.com> writes:
today I noticed, that my DNS servers are getting a noticable amount of DNS queries for my IPv4 reverse zone, asking for type A or AAAA.
how strange, as a reverse zone should pretty much be all PTRs
Not always: https://cr.yp.to/djbdns/walldns.html Maybe someone is testing for walldns presence? Not that it is a particularily good test, but you never know what the kids will do... Nope, that cannot explain AAAA requests so there is probably something else going on. Bjørn
On Jan 9, 2016, at 6:56 AM, Bjørn Mork <bjorn@mork.no> wrote:
Randy Bush <randy@psg.com> writes:
today I noticed, that my DNS servers are getting a noticable amount of DNS queries for my IPv4 reverse zone, asking for type A or AAAA.
how strange, as a reverse zone should pretty much be all PTRs
Not always: https://cr.yp.to/djbdns/walldns.html
Maybe someone is testing for walldns presence? Not that it is a particularily good test, but you never know what the kids will do... Nope, that cannot explain AAAA requests so there is probably something else going on.
My guess (with no data) would be a spam run using harvested domain names that didn't weed out silly names (why bother if you're a spammer?). Regards, -drc
participants (4)
-
Bjørn Mork -
David Conrad -
Max Grobecker -
Randy Bush