[dns-operations] DNS Queries from some 8.0/16 ranges

Sam Norris Sam at ChangeIP.com
Fri May 28 18:27:36 UTC 2010


Hey all,

I am investigating something curious and wondered if anyone out there knows 
anything about these ranges?

Query_Count Range
18804 8.0.10.x/24
17332 8.0.11.x/24
21841 8.0.14.x/24
17059 8.0.15.x/24
38549 8.0.22.x/24
33730 8.0.23.x/24
8687 8.0.28.x/24
7873 8.0.29.x/24
5618 8.0.30.x/24
5864 8.0.31.x/24
80595 8.0.35.x/24
9722 8.0.36.x/24
12609 8.0.37.x/24
13037 8.0.38.x/24
16141 8.0.39.x/24
10312 8.0.4.x/24
11225 8.0.5.x/24
10954 8.0.6.x/24
12429 8.0.7.x/24

We are seeing all 255 addresses in each range performing DNS queries to our 
authoritative servers.  I am trying to determine what the sources are, here 
are my thoughts:

1 - natted / rotated backend queries from Google's public recursive servers? 
Or other researchers?

2 - spoofed udp sources from hackers trying to inject false queries into our 
logs?

3 - SIE related ?

Does anyone know what's behind these ranges?

Thx,
Sam





More information about the dns-operations mailing list