[dns-operations] Weird query name "case" queries?
Rubens Kuhl
rubensk at nic.br
Wed Sep 19 01:01:18 UTC 2012
Or bad guys posing as good guys. You need to check "evil bit" (http://www.ietf.org/rfc/rfc3514.txt) to figure out which one.
Rubens
Em 18/09/2012, às 21:25, Mohamed Lrhazi escreveu:
> Great, thanks a lot guys. So this is most likely good guys, not bad
> guys as one would suspect at firs!
>
> Mohamed.
>
> On Tue, Sep 18, 2012 at 8:14 PM, David Miller <dmiller at tiggee.com> wrote:
>>
>>
>> On 9/18/2012 8:06 PM, Mohamed Lrhazi wrote:
>>> I've noticed quite a bit of queries to our DNS servers, that look
>>> pretty normal except for the fact that the character case is weird..
>>> seems to be switching case randomly!
>>>
>>> like:
>>>
>>> nAme1.dOMain.Com
>>> naMe2.DOMain.coM
>>> ...
>>>
>>> and so on..
>>>
>>> I am wondering if this my DNS server logging issue, or some bug or
>>> attack/scan technique out there.
>>
>> Probably just 0x20 bit encoding.
>>
>> Refs:
>> https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
>> https://isc.sans.edu/diary.html?storyid=12418
>>
>> -DMM
>>
>>> Thanks,
>>> Mohamed.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120918/d92625eb/attachment.html>
More information about the dns-operations
mailing list