[dns-operations] ziyouforever.com

Michael Graff mgraff at isc.org
Fri Jun 12 21:08:07 UTC 2009


I believe it may be an organized open resolver probe. I have seen many  
things like this on my not open resolved as well. Additionally I have  
seen probes to my http server using identical hash values.

--Michael


On Jun 12, 2009, at 16:19, Jeroen Massar <jeroen at unfix.org> wrote:

> John Kristoff wrote:
> [..]
>> Thanks to a colleague, Toni @ F-secure, this is apparently related to
>> software signed by Dynamic Internet Technologies, Inc.  Its not clear
>> what the qnames or answers mean, but it could be some sort of id or
>> tracking mechanism.
>
> Have you checked if it might be DNS tunneling or some other sort of
> covert channel? Using A records might not be the fastest/best way to
> abuse DNS for that, but at least every DNS recursor will understand it
> and pass it on (Some of those &#%&^&% NAT boxes don't get it when you
> ask for a TXT record or when that TXT record is a bit on the long  
> side)
>
> Greets,
> Jeroen
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list