[dns-operations] DNS Queries from some 8.0/16 ranges
Sam Norris
Sam at ChangeIP.com
Fri May 28 18:27:36 UTC 2010
Hey all,
I am investigating something curious and wondered if anyone out there knows
anything about these ranges?
Query_Count Range
18804 8.0.10.x/24
17332 8.0.11.x/24
21841 8.0.14.x/24
17059 8.0.15.x/24
38549 8.0.22.x/24
33730 8.0.23.x/24
8687 8.0.28.x/24
7873 8.0.29.x/24
5618 8.0.30.x/24
5864 8.0.31.x/24
80595 8.0.35.x/24
9722 8.0.36.x/24
12609 8.0.37.x/24
13037 8.0.38.x/24
16141 8.0.39.x/24
10312 8.0.4.x/24
11225 8.0.5.x/24
10954 8.0.6.x/24
12429 8.0.7.x/24
We are seeing all 255 addresses in each range performing DNS queries to our
authoritative servers. I am trying to determine what the sources are, here
are my thoughts:
1 - natted / rotated backend queries from Google's public recursive servers?
Or other researchers?
2 - spoofed udp sources from hackers trying to inject false queries into our
logs?
3 - SIE related ?
Does anyone know what's behind these ranges?
Thx,
Sam
More information about the dns-operations
mailing list