[conspire] missing rDNS for (intentionally missing) IPv6

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Mar 3 21:34:41 PST 2021 

> From: "Michael Paoli" <Michael.Paoli at cal.berkeley.edu>
> Subject: Re: [conspire] missing rDNS for (intentionally missing) IPv6
> Date: Wed, 03 Mar 2021 14:43:48 -0800

Well, that's interesting ...:
$ dig +noall +question +answer +comments -x  
2603:3024:182f:d100:220:edff:fe13:ba89                                  
                                              ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15029
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e54b9967406096590bdabdf1604065676f9fef45f159682c (good)
;; QUESTION SECTION:
;9.8.a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa. IN  
PTR

$

Might've been a one-off, though ... repeat again of same query, didn't yield
same results - back to NXDOMAIN again ... but may be inconsistent results
from various nameservers or something like that.  Let's peek a 'lil more ...

$ dig +trace -x 2603:3024:182f:d100:220:edff:fe13:ba89
...
0.3.3.0.6.2.ip6.arpa.   86400   IN      NS      dns103.comcast.net.
0.3.3.0.6.2.ip6.arpa.   86400   IN      NS      dns105.comcast.net.
0.3.3.0.6.2.ip6.arpa.   86400   IN      NS      dns102.comcast.net.
0.3.3.0.6.2.ip6.arpa.   86400   IN      NS      dns104.comcast.net.
0.3.3.0.6.2.ip6.arpa.   86400   IN      NS      dns101.comcast.net.
...
4.2.0.3.3.0.6.2.ip6.arpa. 3600  IN      SOA     dns101.comcast.net.
...
$
Well, that looks slightly interesting - we have an SOA record two
nibbles (a nibble or nybble is half a byte) down lower than we're seeing
NS records for.

$ (for ns in dns101.comcast.net. dns102.comcast.net.  
dns103.comcast.net. dns104.comcast.net. dns105.comcast.net.; do dig  
@"$ns" +norecurse +noall +answer +authority +additional +comments -x  
2603:3024:182f:d100:220:edff:fe13:ba89 | sed -e 's/$/ @'"$ns"/; echo;  
done)
...
$
Well, nothin' exiting there ... all gave NXDOMAIN, and no referrals or
the like ... other than that slightly interesting SOA record.

Let's focus in a bit ...
$ dig +norecurse @dns101.comcast.net. -x  
2603:3024:182f:d100:220:edff:fe13:ba89
... we get that SOA again, in the AUTHORITY part of response, but nothin'
particularly more interesting or referrals that are easy to pick out.
Let's try bottom up against that same server ...
$  
(rr=9.8.a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa.;  
dig +norecurse +noall +answer +authority +additional  
@dns101.comcast.net. "$rr" PTR "$rr" NS "$rr" SOA) | sort -u
4.2.0.3.3.0.6.2.ip6.arpa. 3600  IN      SOA     dns101.comcast.net.  
hostmaster.comcast.com. 7 7200 300 604800 3600
$
8.a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa.
a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa.
... nibbling away at it ... we eventually find:
$ (rr=4.2.0.3.3.0.6.2.ip6.arpa.; dig +norecurse +noall +answer  
+authority +additional @dns101.comcast.net. "$rr" PTR "$rr" NS "$rr"  
SOA) | sort -u
4.2.0.3.3.0.6.2.ip6.arpa. 3600  IN      SOA     dns101.comcast.net.  
hostmaster.comcast.com. 7 7200 300 604800 3600
4.2.0.3.3.0.6.2.ip6.arpa. 7200  IN      NS      dns101.comcast.net.
4.2.0.3.3.0.6.2.ip6.arpa. 7200  IN      NS      dns102.comcast.net.
4.2.0.3.3.0.6.2.ip6.arpa. 7200  IN      NS      dns103.comcast.net.
4.2.0.3.3.0.6.2.ip6.arpa. 7200  IN      NS      dns104.comcast.net.
4.2.0.3.3.0.6.2.ip6.arpa. 7200  IN      NS      dns105.comcast.net.
$
but nothin' interesting between.  So would seem those are the nameservers,
and nothing of interest relevant to the penultimate target "reverse"
DNS between - in terms of other nameservers or the like.
Not sure where the SERVFAIL came from - but doesn't seem particularly
prevalent or easily reproducible.

>> From: "Rick Moen" <rick at linuxmafia.com>
>> Subject: Re: [conspire] missing rDNS for (intentionally missing) IPv6
>> Date: Wed, 3 Mar 2021 13:41:28 -0800
>
>> $ dig -t PTR  
>> 9.8.a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa.  
>> +short
>> $
>
> I realize it was probably a copy/paste or the like, but also ...
>
> $ dig +noall +question +answer +comments -x  
> 2603:3024:182f:d100:220:edff:fe13:ba89
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44761
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 638a5b2bb1856e5a4aff73f960400c30d18c251fd1594794 (good)
> ;; QUESTION SECTION:
> ;9.8.a.b.3.1.e.f.f.f.d.e.0.2.2.0.0.0.1.d.f.2.8.1.4.2.0.3.3.0.6.2.ip6.arpa.  
> IN PTR
>
> $

More information about the conspire mailing list