[dns-operations] High DNS query levels from certain IPs
Phil Pennock
dnsop+phil at spodhuis.org
Tue Jul 6 08:16:58 UTC 2010
I noticed high levels of DNS traffic coming from two IPs which, between
them, make up more than a third of my entire DNS traffic volume. I
first checked in with one of my contacts, who I secondary for and for
whom I'd added a couple of zones around the time my traffic levels
increased at the end of April. He sees this. I checked in with another
contact, who secondaries a disjoint set of domains for me, and he too
sees this traffic.
In both cases, it's repeated resolution attempts for A/AAAA for entries
used as NS glue records. The queries are coming in with EDNS0/4096/DO
so I'm inclined to think it's not a completely naive client; I tried
disabling NSID to see if that would help, but no.
Is anyone else seeing high levels of traffic from [12.130.136.11] and
[80.243.68.34]?
Source Query Name Count %
--------------- ----------------- --------- ------
12.130.136.11 nlns.globnix.net 1563 21.1
12.130.136.11 nlns6.globnix.net 322 4.3
12.130.136.11 nlns4.globnix.net 320 4.3
80.243.68.34 nlns.globnix.net 246 3.3
80.243.68.34 nlns4.globnix.net 68 0.9
80.243.68.34 nlns6.globnix.net 55 0.7
Thanks,
-Phil
More information about the dns-operations
mailing list