Introduction

The other day, I was reading this interesting article Abusing .arpa: The TLD That Isn’t Supposed to Host Anything by Infoblox threat intel team, published on February 26, 2026. What got my attention is the clever abuse of the .arpa TLD (Address and Routing Parameter Area) for phishing purposes, and in particular, the querying of the IPv6 reverse DNS zone ip6.arpa for an A record instead of being legitimately used for reverse DNS lookup using the PTR record, which translates IP addresses back to domain names. According to IANA, the domain ip6.arpa is used for "mapping IPv6 addresses to Internet domain names", that's mapping nibble-reversed IPv6 addresses back to hostnames.

I'm not aware of any prior documentation of such clever usage of the .arpa TLD to evade detection. The article is worth taking the time to read in full.

For example, sending an A DNS type query to the domain c.5.2.1.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa, the server returns a routable C2 A record, 157[.]245[.]92[.]156 as shown in the figure below.

For the server to return a routable A record, the requested reverse DNS has to be under the threat actor's control, which is registered as a domain name, since this is not a legitimate/valid use of the ip6.arpa domain.

After reading the article, I asked myself how to write a domain-independent generalized detection logic against this abuse of the ip6.arpa domain.

Detection Logic Using PacketSmith + Yara-X Detection Module

In this section, we'll write a custom and generic Yara-X rule that uses PacketSmith's custom pattern identifier dns to detect this abuse of the ip6.arpa domain, with zero probability of any false positives.

For reference, a pcap arpa_ip6_reverse_dns_a_record.pcap with this behaviour is available for download from Netomize's GitHub repository.

The detection logic is simple and requires checking for a few indicators in the DNS response packet, ensuring that the requested reverse DNS returns an A record. The main detection logic consists of the following atomic indicators:

• The requested reverse DNS ends with ip6.arpa

• Query/Answer type is A (1), and class is IN (1)

• Answer RR TTL is low for fast-flux DNS (optional)

  • In the case of c.5.2.1.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa, the server returns an TTL of 5, which is very low for legitimate traffic

• Answer RR data length is 4 to make sure that the server returned a value, that's an A record

• Other indicators are documented in the rule

The rule could be written as follows:

rule ip6_arpa_tld_dns_rsp_pkt_malicious 
{ 
  meta:

   description = "Detect malicious .ip6.arpa TLD DNS response pkts"
   reference   = "https://www.infoblox.com/blog/threat-intelligence/abusing-arpa-the-tld-that-isnt-supposed-to-host-anything/"
   filter      = "Frames (frames:)"
   author      = "Netomize"
   date        = "17/03/2026"	  

condition:
	
  dns.is_set and not dns.over_tcp and dns.flag.response 
  and 
  dns.flag.opcode   == 0 
  and
  dns.count.queries == 1
  and
  dns.count.ansr_rr == 1
  and
  dns.qry[0].type   == 1  // A
  and
  dns.qry[0].class  == 1 // IN
  and
  dns.qry[0].name.labels.total > 2
  and	  
  // example: c.5.2.1.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa
  dns.qry[0].name.qname endswith ".ip6.arpa"
  
  and
  
  dns.ansr_rr[0].type  == 1  // A
  and
  dns.ansr_rr[0].class == 1  // IN
  and
  dns.ansr_rr[0].rdata.size == 4	  
}

Similar detection logic could be applied to the in-addr.arpa reverse DNS zone.

Running the above Yara-X rule through the linked pcap via PacketSmith and saving the result as JSON, we get the file yara_dte_2026_03_17_11_46_06.json with all the detections:

PacketSmith.exe -i arpa_ip6_reverse_dns_a_record.pcap -D yara:console_json -F frames: -O .

Conclusion

This article documents the misuse of the .arpa TLD, specifically the ip6.arpa reverse DNS zone, as seen in the wild, for phishing purposes, and demonstrates how to write a generic Yara-X rule using PacketSmith's custom pattern identifier dns to detect malicious use of the ip6.arpa reverse DNS zone.

Author: Mohamad Mokbel

First release: March 17, 2026