[dns-operations] DNS question

paul vixie paul at redbarn.org
Thu Oct 25 18:31:30 UTC 2012


On 10/25/2012 6:23 PM, Jason Lewis wrote:
> Does anyone recognize what is going on here?
>
> I suspect it's malicious, but I can't figure out what the goal is.  Is
> it just an attempt to hide bad guy infrastructure?
>
> trexcil.info. IN NS ns3.urqwk.info.
> trexcil.info. IN NS ns4.urqwk.info.
> trexcil.info. IN NS ns1.rcbiil.info.
> trexcil.info. IN NS ns2.rcbiil.info.
> trexcil.info. IN CNAME d51.aczdmxkgr1ik.trexcil.info.
> trexcil.info. IN CNAME d5a.b1w8xqzktn6h.trexcil.info.
> trexcil.info. IN CNAME d5a.c5383kpdz8zo.trexcil.info.
> trexcil.info. IN CNAME d5a.c8kn44b8axpm.trexcil.info.
> trexcil.info. IN CNAME d5a.cztm14bsw1rn.trexcil.info.
> trexcil.info. IN CNAME d5a.df81qezk2khs.trexcil.info.
> trexcil.info. IN CNAME dv8.afyb1y7ihhix.trexcil.info.
> trexcil.info. IN CNAME dva.beq1iktr59qe.trexcil.info.
> trexcil.info. IN CNAME d518.adv3uyrx32g.trexcil.info.
> <snip>

this is more likely a protocol-violating load balancer than a bad guy.
--paul



More information about the dns-operations mailing list