[dns-operations] Lots of queries for TXT records?

Paul Ferguson fergdawgster at gmail.com
Wed Apr 8 04:27:52 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Apr 7, 2009 at 9:01 PM, Rob Thomas <robt at cymru.com> wrote:

> Hey, Chris.
>
> Thanks for the heads-up!
>
>> I am seeing a lot of queries for TXT records for "deepholeforyou.info"
>> from a number of clients (many making several dozen requests per
>> second).  Earlier, this was returning huge TXT records (I was seeing 4-5
>> times as much traffic from my recursive server), but now they've been
>> replaced by a CNAME to fworld.net (with no TXT records).
>
> I see these queries beginning at least as early as 2009-04-03 01:50:12
> UTC, and perhaps earlier.  I'm doing more digging now.
>
>> Is there some virus/worm I haven't yet heard of causing this?
>
> Unclear.  A quick scan of our malware menagerie didn't turn up any hits,
> but I'm still looking.
>

This domain looks fishy (not necessarily phishy).

Right now it's parked at Cheapnames.com, but when domain registration data
shows "timjunk at mail.ru" as the tech contact, my Russkrainian cyber criminal
radar starts red-lining. :-)

A little Google foo turned up this, however:

http://serversupportforum.de/forum/dns/31957-bind-cache-poisoning.html

...which indicates that this is not an isolated incident.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ3CfBq1pz9mNUZTMRAnhLAJ0QN0nb3Z71SXR0Vd4NvnjNCX/CpQCggzcB
Ydc5T7DSLvv1g8ns1dQhnPU=
=MVdY
-----END PGP SIGNATURE-----



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/



More information about the dns-operations mailing list