And I was wondering why my nameserver went haywire

[Barry Margolin]

In article <20000425134152.E67044 at lucifer.bart.nl>,
Jeroen Ruigrok van der Werven  <jruigrok at via-net-works.nl> wrote:
>-On [20000424 20:10], Barry Margolin (barmar at genuity.net) wrote:
>>In article <20000421223419.D35334 at lucifer.bart.nl>,
>>Jeroen Ruigrok van der Werven  <jruigrok at via-net-works.nl> wrote:
>>>dig @ns1.cwie.net any 61.230.240.207.in-addr.arpa
>>
>>dig just says "ns_initparse: Message too long" when I try it.
>
>Which dig would that be?  This is the 8.2.2-p5 one and I get a 2000 PTR
>records back =\

I'm using DiG 8.1.

>>You could make your local nameserver authoritative for the
>>61.230.240.207.in-addr.arpa zone, and put a single PTR record pointing to
>>hadar.cwie.net in it.
>
>Yeah, but it would be better if these guys fix their DNS. =)

Of course.  You asked what to do if they *didn't* fix their DNS.

>>>For the time being I blackholed ns1.cwie.net because my logfile was
>>>filling up like mad.
>>
>>I wonder why you're doing so many lookups of this address.  Our nameservers
>>have only logged 24 "TCP truncated" messages for that entry in the past 3
>>days.
>
>No idea.  Obviously lots of our clients like to watch pr0n or something.
>*hides his $HOME/pr0n* ;)

But that still doesn't explain it.  You shouldn't need to do reverse
lookups when connecting to a web site.  Typically, reverse lookups are only
done by servers when they receive incoming connections.

You might try turning on query logging to see where these lookups are
coming from, which could allow you to prevent them in the first place.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.