[dns-operations] Weird query name "case" queries?

Rubens Kuhl rubensk at nic.br
Wed Sep 19 01:01:18 UTC 2012


Or bad guys posing as good guys. You need to check "evil bit" (http://www.ietf.org/rfc/rfc3514.txt) to figure out which one. 


Rubens


Em 18/09/2012, às 21:25, Mohamed Lrhazi escreveu:

> Great, thanks a lot guys. So this is most likely good guys, not bad
> guys as one would suspect at firs!
> 
> Mohamed.
> 
> On Tue, Sep 18, 2012 at 8:14 PM, David Miller <dmiller at tiggee.com> wrote:
>> 
>> 
>> On 9/18/2012 8:06 PM, Mohamed Lrhazi wrote:
>>> I've noticed quite a bit of queries to our DNS servers, that look
>>> pretty normal except for the fact that the character case is weird..
>>> seems to be switching case randomly!
>>> 
>>> like:
>>> 
>>> nAme1.dOMain.Com
>>> naMe2.DOMain.coM
>>> ...
>>> 
>>> and so on..
>>> 
>>> I am wondering if this my DNS server logging issue, or some bug or
>>> attack/scan technique out there.
>> 
>> Probably just 0x20 bit encoding.
>> 
>> Refs:
>> https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
>> https://isc.sans.edu/diary.html?storyid=12418
>> 
>> -DMM
>> 
>>> Thanks,
>>> Mohamed.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120918/d92625eb/attachment.html>


More information about the dns-operations mailing list