BIND sending quesries to 127.0.0.2?
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 1 00:32:25 UTC 2007
> We have some Solaris and Fedora hosts set up as BIND "Applicances" for
> customers to use (abuse :-) ) as destinations for their resolvers and
> forwarders. We're seeing a few hosts sending out DNS queries to
> 127.0.0.2, all asking for lookups at relays.ordb.org:
>
> chi001dn01.yipes.com -> 127.0.0.2 DNS C 0.0.0.0.relays.ordb.org.
> Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2 DNS C
> 88.14.155.141.relays.ordb.org. Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2 DNS C 63.11.8.83.relays.ordb.org.
> Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2 DNS C
> 119.106.110.67.relays.ordb.org. Internet Addr ?
> chi001dn01.yipes.com -> 127.0.0.2 DNS C
> 130.55.191.202.relays.ordb.org. Internet Addr ?
>
> Of course I can't put the finger on BIND directly, but can anyone
> think of a way this could be a bug or some kind of obscure
> configuration error? Our hosts are configured as generic "caching
> only" hosts, using stright out of the box 9.3.1 on Fedora and 9.3.4 on
> Solaris.
>
> I dumped the cache and I don't see anything odd - a few dozen out of
> thousands of entries for legit A records of spamcop.net, etc records
> returning 127.0.0.2.
>
> I would expect, if these were spoofed, to see the 127.0.0.2 address
> going in.... ??
>
> Thanks
> -wiley sanders
> http://wsanders.net
Turn on query logging and workout who is quering for
*.relays.ordb.org. Then get them to reconfigure their
MTA's.
Googling for ordb.org shows that is shutdown.
http://it.slashdot.org/article.pl?sid=06/12/18/154259&from=rss
Mark
drugs:9.4.x 11:26 {888} % dig +norec relays.ordb.org @ns1.ordb.moensted.dk
; <<>> DiG 9.3.3 <<>> +norec relays.ordb.org @ns1.ordb.moensted.dk
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62527
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;relays.ordb.org. IN A
;; AUTHORITY SECTION:
relays.ordb.org. 2419200 IN NS ns.ordb.org.
;; ADDITIONAL SECTION:
ns.ordb.org. 2419200 IN A 127.0.0.2
;; Query time: 338 msec
;; SERVER: 194.176.123.3#53(194.176.123.3)
;; WHEN: Thu Mar 1 11:27:30 2007
;; MSG SIZE rcvd: 66
drugs:9.4.x 11:27 {889} %
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list