[dns-operations] is for example.com

Robert Edmonds edmonds at mycre.ws
Tue Oct 4 16:16:13 UTC 2016

Manos Antonakakis wrote:
> On Tue, Oct 4, 2016 at 8:26 AM, Paul Vixie <paul at redbarn.org> wrote:
> > it's because i expect it's often the result of ignorance, or ill intent,
> > that i hate seeing this in pDNS.
> Paul, I think you should revisit this position. Perhaps, such "odd" or
> wrong RRs could carry very interesting forensic information ---
> especially when you can see them at scale.

Well, now that you mention scale... the database that Paul is querying
is based on trillions of passive DNS observations, and I only count a
dozen or so uses of that particular IP address in 2016. So, that would
make it a particularly rare misconfiguration, much rarer than other

If you search DNSDB for,,, or other
obviously "bad" values, etc. you'll get many orders of magnitude more
hits than this one.

Unless a particular A-record is actively being misused (e.g. to direct
DDoS traffic, or for botnet C&C, etc.) I don't see much point in calling
out matches for particular values.

Robert Edmonds

More information about the dns-operations mailing list