DNS Workshop

Wednesday Oct 31, 2012

Who is asking for 0.0.0.0.in-addr.arpa.?

This morning I experienced a steep increase in NXDOMAIN responses in my home network, just about the time that I started to install Windows 2012 for some DNS experiments. There were around 15 queries per minute from one source for a non-existing domain.

An increase of NXDOMAIN this morning

A closer look revealed that the NXDOMAIN responses where caused by queries for "0.0.0.0.in-addr.arpa.". This looked like a misbehaving software.

A closer look: the queries are for 0.0.0.0.in-addr.arpa.

However the originating IPv4 address that I could see sending the queries was non of my "well known" client- or server-systems.

The machine turned to be the iDRAC card in a Dell r200 server I

It turned out to be the remote management card (iDRAC) inside the Dell r200 server I'm installing Windows 2012 on (IPv4 address 192.168.1.169 is the iDRAC card, 192.168.1.2 my BIND 9 resolving DNS). Luckily, because I'm running a recent version of BIND 9, these queries were stopped by the "automatic empty zones" feature in the recursive DNS server and not send out to the Internet.

The automatic empty zones are defined in RFC 6303 - "Locally Served DNS Zones" and can be controlled using the "empty-zones-enable" statement in named.conf. If you have Dell servers with iDRAC cards that show the same behaviour than mine, and you use BIND 9.5.0+ with automatic empty zones, you are fine. Look at your BIND recursive server startup messages. If you see a similar list as shown below, all is fine:

BIND "empty zones" startup messages

31-Oct-2012 12:39:26.753 automatic empty zone: 10.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 16.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 17.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 18.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 19.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 20.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 21.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 22.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 23.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 24.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 25.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 26.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 27.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 28.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 29.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 30.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 31.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 168.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 127.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 254.169.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 2.0.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 100.51.198.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 113.0.203.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: D.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 9.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: A.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: B.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA

If you do not see this messages, it might be because your BIND version is quite old. Consider upgrading. If you are using a different DNS Server product, it is good practice to define empty DNS zones for the address blocks defined in RFC 6303. These zones only contain one SOA and one NS record (see below), they are "empty" and the only purpose is to stop internal traffic to leak from your internal networks to the Internet by serving the NXDOMAIN response locally.

Example "empty" zone-file

@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @

Comments:

We today found another source of such requests, about 2.5 millions per hour: A Mathematica instance was running amok on a Linux workstation and was causing such requests en masse on the client side.

A potential work-around on the client-side is to add

0.0.0.0 nobody.invalid
to /etc/hosts on the according machine.

Posted by Axel Beckert on March 10, 2014 at 02:05 PM CET #

Post a Comment:
  • HTML Syntax: Allowed

Calendar

Feeds

Search

Links

Navigation