[dns-operations] 126.96.36.199 / 188.8.131.52 also being used as authoritative NSs?
Patrick W. Gilmore
patrick at ianai.net
Tue Mar 8 22:07:17 UTC 2011
On Mar 8, 2011, at 4:56 PM, David Ulevitch wrote:
> On Mar 8, 2011, at 10:05 AM, Chris Thompson wrote:
>> To save me arranging some packet capture, can anyone say whether this
>> is true? It is possible, of course, that the domain(s) in question
>> are nothing to do with Google qua se, as any black hat could point
>> his NSs at these addresses - but to achieve what?
> This happens to us in /large/ volumes periodically for reasons that bewilder us. The queries don't work as RD bit isn't set.
If you write the botnet software, you can ignore the RD bit.
Then you get to just use the largess of OpenDNS (or Google, or whatever) instead of having your own infrastructure.
Did you track where your name servers got the answers in the first place?
> If someone wants to discuss further, off-list, I am happy to provide details. I have a list from six months ago of about 1000 seemingly unrelated domains that pointed to us six months ago, and today not a single one does. In six months, the current list will turnover again.
> It's bizarre, to say the least, though it causes us insignificant operational pain, so it's not a focus.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations