[dns-operations] traffic jam

Michael Sinatra michael at brokendns.net
Mon Apr 27 16:48:23 UTC 2015


On 04/26/15 22:46, Roland Dobbins wrote:
> 
> On 27 Apr 2015, at 11:56, Randy Bush wrote:
> 
>> looks normal except the server is not (supposed to be) recursive
> 
> It would be really interesting to see the actual RRs being queried - see
> if they look like some of the prepending attacks we've seen, or
> something else.

+1

> Most of the prepending attacks are for A records, AFAIK.

The addresses Randy shared appear to be the backed queriers of the
public authoritative services.  It would also be interesting to see the
TTLs of the things being queried, since one of the reasons you'll tend
to get repeated queries from those servers is low/zero TTLs combined
with someone's attempt at leverage (e.g. generating large responses from
the public recursive services).  I am thinking the front-ends here could
be Google Public DNS, Nomimum SKYE, and similar, although I am not
completely sure.

michael



More information about the dns-operations mailing list