repeated req: nlookup(aol.com) type=15 class=1

Jim Reid jim at mpn.cp.philips.com
Thu Jul 29 09:17:22 UTC 1999 

>>>>> "Mark" == Mark Kent <mark at noc.mainstreet.net> writes:

    Mark> Hello, I have observed repeated queries to our listed(*)
    Mark> nameservers of this type:

    Mark> These are coming in at about 1 or 2 a second from a dozen
    Mark> hosts spread out around the net.  None of these hosts should
    Mark> be pointing at our nameservers for routine name lookups, and
    Mark> of course we are not authoritative for aol.com. All are
    Mark> type=15 (MX record).

    Mark> I am going to block these out, but I was wondering what
    Mark> would case such behavior?  They are all asking the same
    Mark> question, of the wrong servers, and repeating it over and
    Mark> over and over...

The behaviour is caused by bad DNS software (or badly configured DNS
software). The most likely explanation is that the offending sites
have resolver configurations (or forwarder statements in
named.conf/named.boot) which point at your name server.

Blocking out those IP addresses from accessing your name server is
probably more bother than it's worth. You could do this with an ACL in
your router or in named.conf. However, that will block legitimate
traffic as well as the unwanted stuff. And don't overlook the
overheads on your name server if you use an ACL there. Every incoming
query will have to be checked before it is answered. That could be a
significant load if your server gets lots of queries and/or the ACL is
long.

The next problem is that blocking the IP addresses of these systems
might make them mad at you. Their software might go crazy because it
can't get an answer and go off into a tight loop firing queries at you
as fast as they can. [I've seen this happen with PC resolvers on our
intranet. Sigh.] So, it might be better to just put up with the status
quo and chase the admins at these sites to find and fix their broken
configurations.

I'd also consider the possibility that these IP addresses have been
used by spammers. Continually looking up MX records on somebody else's
name servers would fit that pattern of anti-social behaviour.

More information about the bind-users mailing list