Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Dec 2003 20:56:32 +0100 (CET)
From:      "Cordula's Web" <cpghost@cordula.ws>
To:        m@loonsoft.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: named and 127.0.0.2
Message-ID:  <200312291956.hBTJuVZV084942@fw.farid-hajji.net>
In-Reply-To: <19496D77-3A06-11D8-AA2F-000A95AF3FB0@loonsoft.com> (message from McClain Looney on Mon, 29 Dec 2003 07:51:27 -0600)
References:  <19496D77-3A06-11D8-AA2F-000A95AF3FB0@loonsoft.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> I have a bind9 named running on the 4.x stable branch, and have noticed 
> that it seems to be sending udp packets to 127.0.0.2:52 about once 
> every 10 seconds or so (ipfw is denying and logging the traffic).  
> Google has not shed any light on the subject.

127.0.0.2 is often returned by RBLs, when an address is blocked
(a.k.a. listed as spam source):

  http://www.spamhaus.org/sbl/howtouse.html
  http://www.mail-abuse.org/rbl/usage.html

Quoth the previous URL (mail-abuse.org):

  "The theory of operation is simple. Given a host address in its
   dotted-quad form, reverse the octets and check for the existence of an
   ``A RR'' at that node under the blackholes.mail-abuse.org node. So if
   you get an SMTP session from [192.5.5.1] you would check for the
   existence of:
        1.5.5.192.blackholes.mail-abuse.org. IN A 127.0.0.2
   
   We chose to use an ``A RR'' because that's what Sendmail makes easy to
   do. The choice of [127.0.0.2] as the target address was arbitary but  
   will not change. As it happens, we supply a bogus MAPS RBLSM entry for
   [127.0.0.2] so that mail transport developers have something to test
   against.
   
   If an ``A RR'' is found by this mechanism, then there will also be a
   ``TXT RR'' at the same DNS node. The text of this record will be   
   suitable for use as a reason text for a bounced mail notification.  
   Currently the text is constant and currently there is no way to use it
   from Sendmail, but there it is anyway."

Perhaps you have a mail filter installed, which queries one of those
RBLs, and then tries to do a reverse DNS lookup for 127.0.0.2?

> I've grepped all through /etc/, and have found no references to 
> 127.0.0.2, and I certainly don't remember configuring anything (ever) 
> with that particular address.
> 
> What could be the cause of this mysterious bind behavior?

See above.

-- 
Cordula's Web. http://www.cordula.ws/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200312291956.hBTJuVZV084942>