"Nintendo"('s NSes) are asking my IP for it's rdns

Brian J. Murrell brian at interlinx.bc.ca
Tue Jul 24 11:05:03 UTC 2012


I've come across something interesting in my named logs:

00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:37 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied
00:16:38 named client 205.166.76.12#55728: view greatunwashed: query (cache) '5.37.58.216.in-addr.arpa/PTR/IN' denied

where 216.58.37.216 is my IP address, assigned by my ISP and reverse
resolved by my ISP's name servers.

What is interesting is the fact that 205.166.76.12 are asking me
(216.58.37.216) for the PTR for my address.

Is this just broken NS software or are they (Nintendo, FWIW) doing
something interesting, like giving everyone an opportunity to provide
an rdns for their own IP address without everyone having to make
classless in-addr.arpa delegation arrangements with their ISP (which
mine refused to do)?

It's kind of a neat concept if it's not just an accident of broken NS
software.

Has anyone else seen anything like this before?  Is there some
(proposed even) standard for doing this that I'm not aware of?

In any case, now to the BIND part.  It seems reasonable for me to
answer that query, either with my own data or simply by allowing
that query to recurse.

I suppose I could create a zone for it and put some data in it for
that one record if I wanted to provide my own data.  But what if I
just wanted to allow recursive queries on that name so that I simply
returned whatever the proper NSes for it reports?  I guess I could add
a zone record for it with a forwarder(s) configured to the name's proper
NSes, yes?  But that means me having to maintain those forward records
in tandem with my ISP playing musical NSes (which I don't expect but
why create a possible maintenance headache).

So how could I configure BIND to allow a query for 5.37.58.216.in-
addr.arpa to be recursive for everyone, but of course, continue to
disallow general open recursive querying for names not served here?

Cheers,
b.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120724/b76f65f5/attachment.bin>


More information about the bind-users mailing list