[dns-operations] Lots of queries for TXT records?
Michael Sinatra
michael at rancid.berkeley.edu
Wed Apr 8 15:10:39 UTC 2009
On 4/8/09 6:02 AM, Chris Adams wrote:
> Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
>> I am seeing a lot of queries for TXT records for "deepholeforyou.info"
>> from a number of clients (many making several dozen requests per
>> second).
>
> Now that has stopped, and I'm seeing lots of queries for MX records for
> "-m.", possibly from the same users as before.
>
> Maybe a virus writer made a typo?
Yep, I am seeing the same thing, from the same hosts (also port 1024).
I am also seeing these same hosts query for '. ANY'. The interesting
thing is that the source addresses don't seem to be spoofed (we run uRPF
internally, and these are from internal hosts and we do BCP38 at the
border), so it's hard to see how this is could be a *successful*
reflection attack.
michael
More information about the dns-operations
mailing list