dnsworkshop.de
@cstrotm@mastodon.social | Github | Keybase | RSS feed
31 Oct 2012

Who is asking for 0.0.0.0.in-addr.arpa.?

This morning I experienced a steep increase in NXDOMAIN responses in my home network, just about the time that I started to install Windows 2012 for some DNS experiments. There were around 15 queries per minute from one source for a non-existing domain.

611315bc-4b8d-48d6-9837-f91f1267cd3b.png

A closer look revealed that the NXDOMAIN responses where caused by queries for "0.0.0.0.in-addr.arpa.". This looked like a misbehaving software.

c0d9f057-9cc8-4efc-a3e4-da36b554b7e5.png

However the originating IPv4 address that I could see sending the queries was non of my "well known" client- or server-systems.

40390bd4-75d4-469d-9b38-98409e5aadf2.png

It turned out to be the remote management card (iDRAC) inside the Dell r200 server I'm installing Windows 2012 on (IPv4 address 192.168.1.169 is the iDRAC card, 192.168.1.2 my BIND 9 resolving DNS). Luckily, because I'm running a recent version of BIND 9, these queries were stopped by the "automatic empty zones" feature in the recursive DNS server and not send out to the Internet.

The automatic empty zones are defined in RFC 6303 - "Locally Served DNS Zones" and can be controlled using the "empty-zones-enable" statement in named.conf. If you have Dell servers with iDRAC cards that show the same behaviour than mine, and you use BIND 9.5.0+ with automatic empty zones, you are fine. Look at your BIND recursive server startup messages. If you see a similar list as shown below, all is fine:

BIND "empty zones" startup messages

31-Oct-2012 12:39:26.753 automatic empty zone: 10.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 16.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 17.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 18.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 19.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 20.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 21.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 22.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 23.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 24.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 25.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 26.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 27.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 28.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 29.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 30.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 31.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 168.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 127.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 254.169.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 2.0.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 100.51.198.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 113.0.203.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: D.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 9.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: A.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: B.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA

If you do not see this messages, it might be because your BIND version is quite old. Consider upgrading. If you are using a different DNS Server product, it is good practice to define empty DNS zones for the address blocks defined in RFC 6303. These zones only contain one SOA and one NS record (see below), they are "empty" and the only purpose is to stop internal traffic to leak from your internal networks to the Internet by serving the NXDOMAIN response locally.

Example "empty" zone-file

@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @
Other posts
Creative Commons License
strotmann.de by Carsten Strotmann is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License .