[dns-operations] "NS .", the attack of the month?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Jan 24 22:05:40 UTC 2009


It is still trendy, apparently. As I watch one recursive name server
(but I see nothing on many others), I see a 2-3 p/s "NS ." queries
claiming to come from 206.71.158.30 and even from 66.230.160.1
(pretending ISPrime).

Still no perfect solution for it?

At least dnscap is great to watch it:

sudo dnscap -i eth0 -w isprime-attack -g -s i -x '^\.$'

Any way with dnscap to restrict the QTYPE of the query?



More information about the dns-operations mailing list