[dns-operations] 192.0.32.10 is for example.com
Robert Edmonds
edmonds at mycre.ws
Tue Oct 4 16:16:13 UTC 2016
Manos Antonakakis wrote:
> On Tue, Oct 4, 2016 at 8:26 AM, Paul Vixie <paul at redbarn.org> wrote:
> > it's because i expect it's often the result of ignorance, or ill intent,
> > that i hate seeing this in pDNS.
>
> Paul, I think you should revisit this position. Perhaps, such "odd" or
> wrong RRs could carry very interesting forensic information ---
> especially when you can see them at scale.
Well, now that you mention scale... the database that Paul is querying
is based on trillions of passive DNS observations, and I only count a
dozen or so uses of that particular IP address in 2016. So, that would
make it a particularly rare misconfiguration, much rarer than other
types.
If you search DNSDB for 0.0.0.0, 1.1.1.1, 255.255.255.255, or other
obviously "bad" values, etc. you'll get many orders of magnitude more
hits than this one.
Unless a particular A-record is actively being misused (e.g. to direct
DDoS traffic, or for botnet C&C, etc.) I don't see much point in calling
out matches for particular values.
--
Robert Edmonds
More information about the dns-operations
mailing list