DNS Morons

These people should run Split-horizon DNS;

HostWrong IP addressReason
dns01.exegy.net64:ff9b::c7bf:35e5RFC 6052
dns02.exegy.net64:ff9b::d821:4b86RFC 6052
dns2.atcbb.co172.17.7.100RFC 1918
dnsr01.srv.internal.nsec.io10.5.20.32RFC 1918
dnsr02.srv.internal.nsec.io10.5.20.34RFC 1918
dns-sna-0302.corp.wayport.net172.17.32.122RFC 1918
hertz.xl.net.id64:ff9b::ca98:fef6RFC 6052
ibauhns3.duhosting.ae10.79.128.18RFC 1918
ibauhns4.duhosting.ae10.79.128.22RFC 1918
ibdxbns4.duhosting.ae10.198.18.14RFC 1918
infdns02.tigo.net.bo172.16.57.186RFC 1918
int-amer.dell.com10.254.239.14RFC 1918
int-amer.dell.com10.254.239.6RFC 1918
nat-dev.exegy.com64:ff9b::c7bf:3569RFC 6052
ns1.comeconnect.com64:ff9b::caa4:2051RFC 6052
ns1.exchangenext.net10.8.54.252RFC 1918
ns1.netplus.co.in64:ff9b::6729:17c2RFC 6052
ns2.comeconnect.com64:ff9b::caa4:2052RFC 6052
ns2.exchangenext.net10.8.54.195RFC 1918
ns2.netplus.co.in64:ff9b::6729:17c3RFC 6052
ns3.tataidc.co.in64:ff9b::6708:2d05RFC 6052
ns4.tataidc.co.in64:ff9b::6708:2e05RFC 6052
snbdc-dns1.xl.net.id64:ff9b::70d7:25b6RFC 6052
snbdc-dns2.xl.net.id64:ff9b::70d7:25b7RFC 6052
socrates.xl.net.id64:ff9b::ca98:fef5RFC 6052

Last update: Sat 27 May 06:02:02 UTC 2017

Block

You can block answers like these with Bind's 'deny-answer-addresses' feature;

    deny-answer-addresses {
        // Unconfigured
        0.0.0.0;
        // RFC 1918
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;
        // RFC 3927
        169.254.0.0/16;
        // IPv6
        // :: to ::ffff:ffff:ffff.
        // Includes ::, ::1, IPv4-Compatible IPv6 Addresses ::/96,
        // and IPv4-mapped IPv6 addresses ::ffff:0:0/96
        ::/80;
        // IPv6 Link local
        fe80::/10;
        // RFC 6052
        64:ff9b::/96;
    } except-from { "Your.Domain"; };
    deny-answer-aliases { "Your.Domain"; };

The produces log entries like;

Aug 21 19:31:01 sput named[1601]: answer address 10.0.0.100 denied for spacefon.com/A/IN

Not blocking these addresses can be a serious security risk.