[dns-operations] Know anybody at McAfee/Intel Cloud DNS team?

Ondřej Surý ondrej.sury at nic.cz
Tue Jan 24 13:30:50 UTC 2017


It's even "better" than that:

ondrej at komorebi:~/Projects/knot-resolver (master)$ dig +dnssec +multi +time=60 +retry=1 @204.212.170.100 726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX
;; ERROR: malformed reply packet from 204.212.170.100 at 53(UDP)

ondrej at komorebi:~/Projects/knot-resolver (master)$ dig +multi +time=60 +retry=1 @204.212.170.100 726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. IN MX
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33520
;; Flags: qr aa; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; QUESTION SECTION:
;; 726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.  IN MX

;; ANSWER SECTION:
726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. 84600 IN MX 4112 f.1b0f0000.a.f.726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com.

;; ADDITIONAL SECTION:
f.1b0f0000.a.f.726170696473736c2d63726c.67656f7472757374.636f6d.80hc70747be.webcfs00.com. 84600 IN A 204.212.170.105

;; Received 138 B
;; Time 2017-01-24 14:30:12 CET
;; From 204.212.170.100 at 53(UDP) in 171.1 ms

--
 Ondřej Surý -- Technical Fellow
 --------------------------------------------
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury at nic.cz    https://nic.cz/
 --------------------------------------------

----- Original Message -----
> From: "David" <opendak at shaw.ca>
> To: "dns-operations" <dns-operations at dns-oarc.net>
> Sent: Wednesday, 18 January, 2017 04:13:00
> Subject: Re: [dns-operations] Know anybody at McAfee/Intel Cloud DNS team?

> On 2017-01-17 7:37 PM, Manos Antonakakis wrote:
>> On Tue, Jan 17, 2017 at 9:30 PM, Robert Edmonds <edmonds at mycre.ws> wrote:
>>> That's no ordinary load balancer. Those are tunneled database lookups!
>>> (My favorite obfuscation is hex-encoding IPv4 addresses into the QNAME.)
>>
>> Yup. Robert is correct. More details around this (abusive?) phenomenon here:
>>
>> http://www.cc.gatech.edu/~ynadji3/docs/pubs/dnsnoise-dsn2014.pdf
>>
>> Manos
> 
> SonicWALL (webcfs00.com) is pretty bad at this too. Their "noise"
> account for about 10-15% of our servfail producing queries.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list