BIND sending quesries to 127.0.0.2?

Mark Andrews Mark_Andrews at isc.org
Thu Mar 1 00:32:25 UTC 2007 

> We have some Solaris and Fedora hosts set up as BIND "Applicances" for
> customers to use (abuse :-) ) as destinations for their resolvers and
> forwarders. We're seeing a few hosts sending out DNS queries to
> 127.0.0.2, all asking for lookups at relays.ordb.org:
> 
> chi001dn01.yipes.com -> 127.0.0.2    DNS C 0.0.0.0.relays.ordb.org.
> Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2    DNS C
> 88.14.155.141.relays.ordb.org. Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2    DNS C 63.11.8.83.relays.ordb.org.
> Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2    DNS C
> 119.106.110.67.relays.ordb.org. Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2    DNS C
> 130.55.191.202.relays.ordb.org. Internet Addr ?
> 
> Of course I can't put the finger on BIND directly, but can anyone
> think of a way this could be a bug or some kind of obscure
> configuration error? Our hosts are configured as generic "caching
> only" hosts, using stright out of the box 9.3.1 on Fedora and 9.3.4 on
> Solaris.
> 
> I dumped the cache and I don't see anything odd - a few dozen out of
> thousands of entries for legit A records of spamcop.net, etc records
> returning 127.0.0.2.
> 
> I would expect, if these were spoofed, to see the 127.0.0.2 address
> going in.... ??
> 
> Thanks
> -wiley sanders
> http://wsanders.net

	Turn on query logging and workout who is quering for
	*.relays.ordb.org.  Then get them to reconfigure their
	MTA's.

	Googling for ordb.org shows that is shutdown.

	http://it.slashdot.org/article.pl?sid=06/12/18/154259&from=rss

	Mark

drugs:9.4.x 11:26 {888} % dig +norec relays.ordb.org @ns1.ordb.moensted.dk

; <<>> DiG 9.3.3 <<>> +norec relays.ordb.org @ns1.ordb.moensted.dk
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62527
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;relays.ordb.org.               IN      A

;; AUTHORITY SECTION:
relays.ordb.org.        2419200 IN      NS      ns.ordb.org.

;; ADDITIONAL SECTION:
ns.ordb.org.            2419200 IN      A       127.0.0.2

;; Query time: 338 msec
;; SERVER: 194.176.123.3#53(194.176.123.3)
;; WHEN: Thu Mar  1 11:27:30 2007
;; MSG SIZE  rcvd: 66

drugs:9.4.x 11:27 {889} % 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list