[dns-operations] DNS Queries from some 8.0/16 ranges

John Kristoff jtk at cymru.com
Thu Jun 3 19:08:20 UTC 2010


On Fri, 28 May 2010 11:27:36 -0700
"Sam Norris" <Sam at ChangeIP.com> wrote:

> I am investigating something curious and wondered if anyone out there
> knows anything about these ranges?

I've seen some of this.  It looks like a massive enumeration attempt.
Looks like they are querying for all valid A/AAAA RRs they've found out
about and PTR queries.

ENDS is in use and DO is set.  CD was set if the query was for the name
of the auth server.  RD not set.

Some massive DNSSEC measurement perhaps?

The 8.0.0.0/15 prefix is routed by NTL, PTR names make it look like
various viriginmedia broadband hosts in the UK.

Whatever it is, is not very efficient.  Different addresses are
querying for the same thing over and over.  Very noisy.

Have you or anyone attempted to contact the source netblock admins?
I'm happy to find someone to ping about it.

John



More information about the dns-operations mailing list