[dns-operations] honeypot : so many bees from Amazon

Grant Taylor gtaylor at tnetconsulting.net
Tue Mar 5 19:30:44 UTC 2019


On 03/05/2019 11:45 AM, Viktor Dukhovni wrote:
> Why would PTR lookups be assumed to be done by hackers?

My take away from Hans' message was that the domain in question was 
listed in the following three places:

1)  PTR records in reverse DNS zones.
2)  Zones on the forward DNS servers.
3)  Recursive DNS server (et al) caches.

Meaning that #1 is how the domain would get out into the wild for people 
to know about it to do forward queries.

> My guess would be an academic study of the IPv4 address space.  Or some 
> commercial whitehat vulnerability scan.  Project Sonar, etc.

RIPE Atlas Probes come to mind too.

I wonder if any of the organizations coordinating these can work with 
you to help identify if any of their (sub)projects might be causing the 
DNS queries.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190305/e3fc2fe6/attachment.bin>


More information about the dns-operations mailing list