[dns-operations] honeypot : so many bees from Amazon
Grant Taylor
gtaylor at tnetconsulting.net
Tue Mar 5 19:30:44 UTC 2019
On 03/05/2019 11:45 AM, Viktor Dukhovni wrote:
> Why would PTR lookups be assumed to be done by hackers?
My take away from Hans' message was that the domain in question was
listed in the following three places:
1) PTR records in reverse DNS zones.
2) Zones on the forward DNS servers.
3) Recursive DNS server (et al) caches.
Meaning that #1 is how the domain would get out into the wild for people
to know about it to do forward queries.
> My guess would be an academic study of the IPv4 address space. Or some
> commercial whitehat vulnerability scan. Project Sonar, etc.
RIPE Atlas Probes come to mind too.
I wonder if any of the organizations coordinating these can work with
you to help identify if any of their (sub)projects might be causing the
DNS queries.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190305/e3fc2fe6/attachment.bin>
More information about the dns-operations
mailing list