From owner-freebsd-questions@FreeBSD.ORG Mon Dec 29 11:57:25 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40B0B16A4CE for ; Mon, 29 Dec 2003 11:57:25 -0800 (PST) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0191D43D58 for ; Mon, 29 Dec 2003 11:57:22 -0800 (PST) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (localhost [127.0.0.1]) by fw.farid-hajji.net (8.12.10/8.12.10) with ESMTP id hBTJuVZV084942; Mon, 29 Dec 2003 20:56:33 +0100 (CET) (envelope-from cpghost@cordula.ws) Date: Mon, 29 Dec 2003 20:56:32 +0100 (CET) Message-Id: <200312291956.hBTJuVZV084942@fw.farid-hajji.net> From: "Cordula's Web" To: m@loonsoft.com In-reply-to: <19496D77-3A06-11D8-AA2F-000A95AF3FB0@loonsoft.com> (message from McClain Looney on Mon, 29 Dec 2003 07:51:27 -0600) X-Mailer: Emacs-21.3.1/FreeBSD-4.9-STABLE References: <19496D77-3A06-11D8-AA2F-000A95AF3FB0@loonsoft.com> cc: freebsd-questions@freebsd.org Subject: Re: named and 127.0.0.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cpghost@cordula.ws List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 19:57:25 -0000 > I have a bind9 named running on the 4.x stable branch, and have noticed > that it seems to be sending udp packets to 127.0.0.2:52 about once > every 10 seconds or so (ipfw is denying and logging the traffic). > Google has not shed any light on the subject. 127.0.0.2 is often returned by RBLs, when an address is blocked (a.k.a. listed as spam source): http://www.spamhaus.org/sbl/howtouse.html http://www.mail-abuse.org/rbl/usage.html Quoth the previous URL (mail-abuse.org): "The theory of operation is simple. Given a host address in its dotted-quad form, reverse the octets and check for the existence of an ``A RR'' at that node under the blackholes.mail-abuse.org node. So if you get an SMTP session from [192.5.5.1] you would check for the existence of: 1.5.5.192.blackholes.mail-abuse.org. IN A 127.0.0.2 We chose to use an ``A RR'' because that's what Sendmail makes easy to do. The choice of [127.0.0.2] as the target address was arbitary but will not change. As it happens, we supply a bogus MAPS RBLSM entry for [127.0.0.2] so that mail transport developers have something to test against. If an ``A RR'' is found by this mechanism, then there will also be a ``TXT RR'' at the same DNS node. The text of this record will be suitable for use as a reason text for a bounced mail notification. Currently the text is constant and currently there is no way to use it from Sendmail, but there it is anyway." Perhaps you have a mail filter installed, which queries one of those RBLs, and then tries to do a reverse DNS lookup for 127.0.0.2? > I've grepped all through /etc/, and have found no references to > 127.0.0.2, and I certainly don't remember configuring anything (ever) > with that particular address. > > What could be the cause of this mysterious bind behavior? See above. -- Cordula's Web. http://www.cordula.ws/