[dns-operations] Questions about 13-character pseudo-random query storms
Giovane Moura
giovane.moura at sidn.nl
Wed Oct 10 05:58:30 UTC 2018
Hi Jack,
> Our sites in Europe in each of our
> clouds are taking about 90% of these DNS queries.
>
> A check of the IP’s hitting our servers
> in Europe show European ownership for all of the heavy-hitters.
That's indeed puzzling.
Just to have an idea of the magnitude, how many IPs are we talking about
here? (how many resolvers hitting your authoritative server?)
And how many ASes?
(I am trying to get a sense if they could be using botnets or not --
because that changes everything).
Two things come to my mind:
- people trying to enumerate your zones (we've seen this in .nl before)
- measurement studies (very UNLIKELY given the query rates)
/giovane
More information about the dns-operations
mailing list