[dns-operations] Odd query pattern
dwessels at verisign.com
Wed Dec 22 17:14:07 UTC 2010
On Dec 22, 2010, at 8:27 AM, Florian Weimer wrote:
> There are authoritative servers which receive the following sequence
> of queries from a certain resolver (which appears to be legitimate and
> also used as an authoritative server):
> - a non-recursive query for EXAMPLE.COM, EDNS0-enabled, DO bit set,
> sometimes also with the CD bit set
> - a query for XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM, where
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a label containing 32 characters
> which appear to be semi-random. Again RD=0, but no EDNS0.
> - a query for YYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM,
> YYYYYYYYYYYYYYYYYYYYYYYY and XXXXXXXXXXXXXXXXXXXXXXXX are labels
> containing 32 characters which appear to be semi-random.
> RD=0, no EDNS0.
Kind of looks like someone trying to do NSEC walking and getting it
More information about the dns-operations