[dns-operations] 192.0.32.10 is for example.com

Robert Edmonds edmonds at mycre.ws
Tue Oct 4 16:16:13 UTC 2016


Manos Antonakakis wrote:
> On Tue, Oct 4, 2016 at 8:26 AM, Paul Vixie <paul at redbarn.org> wrote:
> > it's because i expect it's often the result of ignorance, or ill intent,
> > that i hate seeing this in pDNS.
> 
> Paul, I think you should revisit this position. Perhaps, such "odd" or
> wrong RRs could carry very interesting forensic information ---
> especially when you can see them at scale.

Well, now that you mention scale... the database that Paul is querying
is based on trillions of passive DNS observations, and I only count a
dozen or so uses of that particular IP address in 2016. So, that would
make it a particularly rare misconfiguration, much rarer than other
types.

If you search DNSDB for 0.0.0.0, 1.1.1.1, 255.255.255.255, or other
obviously "bad" values, etc. you'll get many orders of magnitude more
hits than this one.

Unless a particular A-record is actively being misused (e.g. to direct
DDoS traffic, or for botnet C&C, etc.) I don't see much point in calling
out matches for particular values.

-- 
Robert Edmonds



More information about the dns-operations mailing list