Hurricane Electric's IPv6 Tunnel Broker Forums

DNS.HE.NET Topics => General Questions & Suggestions => Topic started by: snarked on September 11, 2021, 08:59:30 AM

Title: Are tunnel endpoints open DNS resolvers?
Post by: snarked on September 11, 2021, 08:59:30 AM
I have rate limiting enabled in my DNS server.  Im getting rate limiting messages in my system logs for DNS queries that appear to be from HEs tunnel server.  Example:

Quote
11-Sep-2021 08:23:52.542 client @0x7fcf905af6e0 66.220.18.42#26678 (DELETED-bl.snarked.net): rate limit slip NODATA response to 66.220.18.0/24 for DELETED-bl.snarked.net IN  (2d03f8d7)

I see no reason for a tunnel server to be the source of a query for any hosted domain outside of HE itself.  Is there a security hole permitting them to be open resolvers?

I have masked the actual query by deleting part of it, but left enough of it to show that it is a DNSBL entry, not a hostname query.  Why would a tunnel server be checking my private list (and furthermore, the list being checked is not an IPv4, IPv6, or a domain name list, but something else)?  66.220.18.42 is the Los Angeles tunnel server endpoint address.