[dns-operations] Alert: Massive increase in type A6 queries.

David Dagon dagon at sudo.sh
Wed Oct 16 13:44:56 UTC 2013


1;3202;0c
On Wed, Oct 16, 2013 at 09:43:56AM +0100, Roy Arends wrote:

>  Since october the 12th, 2013, starting at approximately 16:00 UTC,
> we see a massive increase in type A6 queries. This is not due to a
> single resolver, but due to several resolver exhibiting the same
> behaviour. We're investigating, but want to alert the TLD community
> while asking for help as well: If anyone has more info, it would be
> greatly appreciated.

There are several new scanning tools in the security industry, e.g.,:

    https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_durumeric.pdf

    https://zmap.io

There are many new research efforts and cottage industries using these
tools.  (And these tools don't consider rfc 1262, but do have some
policy considerations in their design.)

It might be that some individuals are now querying open recrusive for
assorted qtypes.  If so, you would see (a) mostly open recursives
doing A6? queries, (b) perhaps other qytpes for the same qnames, close
in time, from the same open recursives.

If there are no other likely explanations, you might start with this
theory, and look for those symptoms.

-- 
David Dagon
dagon at sudo.sh
D970 6D9E E500 E877 B1E3  D3F8 5937 48DC 0FDC E717



More information about the dns-operations mailing list