Analyzing Reverse Lookup Nameservers within AFRINIC (2021-01)

We recently looked at 57 ccTLDs for countries within AFRINIC. For the IPv4 addresses for their nameservers within resources managed by AFRINIC (41/8, 102/8, 105/8, 196/8, 197/8), we further analyzed the DNS for the in-addr reverse lookups using our auditing tool. We identified 35 unique anomalies (out of 95+) based on IETF/RFC standards and best practices, registry policies, government mandates, and vendor guidelines. This is a summary of some of that analysis.

The recursion depth for resolving 57.86.41.in-addr.arpa was six levels deep -- which may be beyond maximums for some iterative resolvers.

The nameservers for 192.221.41.in-addr.arpa and 57.86.41.in-addr.arpa return Recursion Available flag (RA) for authoritative tests. These are open resolvers: ns.cvtelecom.cv (41.221.192.167), ns2.seychelles.net (41.223.218.7), and ns.seychelles.net (41.223.218.6).

Two domains only have a single nameserver: 54.138.41.in-addr.arpa and 79.222.41.in-addr.arpa.

Several domains had nameservers that timed out: 164.29.196.in-addr.arpa, 166.29.196.in-addr.arpa, and 180.29.196.in-addr.arpa: ans2.canar.sd (196.29.164.14) 192.221.41.in-addr.arpa: ns2.cvtelecom.cv (41.221.192.166) 127.253.197.in-addr.arpa and 95.253.197.in-addr.arpa: ns2.nita.gov.gh (197.253.124.231) and ns4.nita.gov.gh (197.253.124.251). 1.49.196.in-addr.arpa: ns1.sixp.gm (196.49.1.14 UDP only). 235.79.41.in-addr.arpa: ns1.net.cd (102.68.62.15).

191.85.41.in-addr.arpa's nameserver ns1.kanakoo.bj (41.216.47.20) REFUSED to provide an answer. 235.79.41.in-addr.arpa's nameserver ns2.net.cd (102.68.60.15) also REFUSED to provide an answer.

Several domains were only hosted from nameservers within single topological networks: 30.185.41.in-addr.arpa, 30.220.41.in-addr.arpa, 4.1.196.in-addr.arpa, 5.87.41.in-addr.arpa, 74.156.197.in-addr.arpa, 95.1.196.in-addr.arpa, 96.200.196.in-addr.arpa, and 96.3.196.in-addr.arpa.

Only one domain was DNSSEC enabled: 162.216.196.in-addr.arpa.

Some of the above may result in lame delegations. Several other domains also returned NXDOMAIN, but ignoring that in this report. If you have any questions or would like us to analyze your domains and nameservers, let us know.

We previously audited 9500 domains within ccTLDs in the AFRINIC region from a recent Tranco Top Million list. Our DNS test suite found 71 unique anomalies and well over 100000 issues, such as recursion depth exceeding resolver default, private IP addresses for nameservers, responses from different IP addresses, 6to4 addresses, IPv4-mapped addresses, responses from non-authoritative resolvers, expired DNSSEC signatures, repeated domain names (missing dot), root referrals, and 60 other problems. What do you use to check your DNS?