BIND sending quesries to 127.0.0.2?
Wiley Sanders
bind at wsanders.net
Thu Mar 1 00:11:13 UTC 2007
We have some Solaris and Fedora hosts set up as BIND "Applicances" for
customers to use (abuse :-) ) as destinations for their resolvers and
forwarders. We're seeing a few hosts sending out DNS queries to
127.0.0.2, all asking for lookups at relays.ordb.org:
chi001dn01.yipes.com -> 127.0.0.2 DNS C 0.0.0.0.relays.ordb.org.
Internet Addr ?
chi001dn01.yipes.com -> 127.0.0.2 DNS C
88.14.155.141.relays.ordb.org. Internet Addr ?
chi001dn01.yipes.com -> 127.0.0.2 DNS C 63.11.8.83.relays.ordb.org.
Internet Addr ?
chi001dn01.yipes.com -> 127.0.0.2 DNS C
119.106.110.67.relays.ordb.org. Internet Addr ?
chi001dn01.yipes.com -> 127.0.0.2 DNS C
130.55.191.202.relays.ordb.org. Internet Addr ?
Of course I can't put the finger on BIND directly, but can anyone
think of a way this could be a bug or some kind of obscure
configuration error? Our hosts are configured as generic "caching
only" hosts, using stright out of the box 9.3.1 on Fedora and 9.3.4 on
Solaris.
I dumped the cache and I don't see anything odd - a few dozen out of
thousands of entries for legit A records of spamcop.net, etc records
returning 127.0.0.2.
I would expect, if these were spoofed, to see the 127.0.0.2 address
going in.... ??
Thanks
-wiley sanders
http://wsanders.net
More information about the bind-users
mailing list