p6.arpa Wildcard Abuse: Hunting Phishing Infrastructure Across IPv6 Prefixes

The report documents an active phishing technique that abuses ip6.arpa reverse DNS by delegating /48 IPv6 reverse zones and adding wildcard A records so every randomized nibble-prefixed subdomain resolves to attacker infrastructure, allowing per-recipient unique phishing URLs that evade reputation-based email and URL scanners; a global scan of 127,906 prefixes found 384 zones with Cloudflare NS (staged) and two confirmed malicious zones (one Cloudflare-proxied, one hosted at 85.215.34.119), and the authors recommend DNS anomaly detection (block A/AAAA for .arpa), RPZ rules, enhanced URL extraction, and monitoring of delegated .ip6.arpa zones.