[dns-operations] Abnormal activity fron chinanet?

Paul J. Smith pjsmith at mtgsy.net
Fri Jan 20 10:09:36 UTC 2012

The goggle ranges are possibly because they are querying Google's public dns servers and they are resolving the query? The number of domains is huge.  Not sure where they sourced these as they are not just tld's where the zone file is available.

We are still seeing it.  Another burst about 20 minutes ago.  We simply drop that traffic now.  

-----Original Message-----
From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-bounces at lists.dns-oarc.net] On Behalf Of Torsten Segner
Sent: 20 January 2012 10:05
To: Roberto Navarro - TusProfesionales.es
Cc: dns-operations at lists.dns-oarc.net
Subject: Re: [dns-operations] Abnormal activity fron chinanet?

Am Fri, 2 Dec 2011 12:18:01 +0100
schrieb "Roberto Navarro - TusProfesionales.es" <rnavarro at tusprofesionales.es>:

> See attached image.
> Querys come frome chinanet, and when one IP is firewalled another one takes 
> his place.

Is anyone else still seeing this in their statistics?

The only thing that has changed is the amount of domains asked for. The formerly static set of 176 domains has increased to 2695.
Another thing that has changed are the hosts being asked for. Initially it has just been the domain itself. By the end of December 2011 we also received ANY requests for the nameservers used and since last week we also receive ANY requests for hosts like www or mail.

Furthermore it's not just IP's from CHINANET anymore but also a substantial amount of queries coming from GOOGLE net ranges.


More information about the dns-operations mailing list