[dns-operations] Lots of queries for TXT records?

Michael Sinatra michael at rancid.berkeley.edu
Wed Apr 8 15:10:39 UTC 2009

On 4/8/09 6:02 AM, Chris Adams wrote:
> Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
>> I am seeing a lot of queries for TXT records for "deepholeforyou.info"
>> from a number of clients (many making several dozen requests per
>> second).
> Now that has stopped, and I'm seeing lots of queries for MX records for
> "-m.", possibly from the same users as before.
> Maybe a virus writer made a typo?

Yep, I am seeing the same thing, from the same hosts (also port 1024).

I am also seeing these same hosts query for '. ANY'.  The interesting 
thing is that the source addresses don't seem to be spoofed (we run uRPF 
internally, and these are from internal hosts and we do BCP38 at the 
border), so it's hard to see how this is could be a *successful* 
reflection attack.


More information about the dns-operations mailing list