[dns-operations] Large amount of queries received from OpenDNS
Antoine JOUBERT
antoine at joubert.ninja
Thu Mar 7 14:14:45 UTC 2019
Hi Hans,
I've just read the message you sent on March 5th.
The targeted servers on our side are not IPv6. We're only seeing the
following IP as the source of the queries :
146.112.128.64 r1.compute.cdg1.edc.strln.net.
146.112.128.65 r2.compute.cdg1.edc.strln.net.
146.112.128.66 r3.compute.cdg1.edc.strln.net.
146.112.128.67 r4.compute.cdg1.edc.strln.net.
146.112.128.68 r5.compute.cdg1.edc.strln.net.
146.112.128.69 r6.compute.cdg1.edc.strln.net.
Our servers are hosted in France and the US, but all the queries we
receive originate from France.
Compared to you, the reverse zones we host have not been targeted.
Antoine
On 07/03/2019 13:22, MAYER Hans wrote:
>
> Dear Antoine,
>
> You are not alone. See my posting from March 5th.
>
> If you don't have access to these old e-mails here a list I have seen
> since beginning of this year falling into my rate limit. There are
> primary IPv6 addresses and little IPv4.
>
> m1.pao.opendns.com. 2620:0:cc3::11
>
> m3.pao.opendns.com. 2620:0:cc3::13
>
> m17.pao.opendns.com. 2620:0:cc3::14
>
> m5.pao.opendns.com. 2620:0:cc3::15
>
> m7.pao.opendns.com. 2620:0:cc3::17
>
> m9.pao.opendns.com. 2620:0:cc3::19
>
> m11.pao.opendns.com. 2620:0:cc3::21
>
> m21.pao.opendns.com. 2620:0:cc3::29
>
> m25.pao.opendns.com. 2620:0:cc3::34
>
> m29.pao.opendns.com. 2620:0:cc3::39
>
> m33.pao.opendns.com. 2620:0:cc3::60
>
> m37.pao.opendns.com. 2620:0:cc3::65
>
> m41.pao.opendns.com. 2620:0:cc3::70
>
> m45.pao.opendns.com. 2620:0:cc3::75
>
> m5.ams.opendns.com. 2620:0:cc4::15
>
> m7.ams.opendns.com. 2620:0:cc4::17
>
> m11.ams.opendns.com. 2620:0:cc4::21
>
> m17.ams.opendns.com. 2620:0:cc4::65
>
> m21.ams.opendns.com. 2620:0:cc4::66
>
> m25.ams.opendns.com. 2620:0:cc4::67
>
> m29.ams.opendns.com. 2620:0:cc4::68
>
> m37.ams.opendns.com. 2620:0:cc4::70
>
> m41.ams.opendns.com. 2620:0:cc4::71
>
> m45.ams.opendns.com. 2620:0:cc4::72
>
> m49.ams.opendns.com. 2620:0:cc4::73
>
> m53.ams.opendns.com. 2620:0:cc4::74
>
> m57.ams.opendns.com. 2620:0:cc4::75
>
> m21.fra.opendns.com. 2620:0:cc7::64
>
> m25.fra.opendns.com. 2620:0:cc7::65
>
> m29.fra.opendns.com. 2620:0:cc7::66
>
> m33.fra.opendns.com. 2620:0:cc7::67
>
> m37.fra.opendns.com. 2620:0:cc7::68
>
> m41.fra.opendns.com. 2620:0:cc7::69
>
> m45.fra.opendns.com. 2620:0:cc7::70
>
> m49.fra.opendns.com. 2620:0:cc7::71
>
> m53.fra.opendns.com. 2620:0:cc7::72
>
> m57.fra.opendns.com. 2620:0:cc7::73
>
> m61.fra.opendns.com. 2620:0:cc7::74
>
> m65.fra.opendns.com. 2620:0:cc7::75
>
> m69.fra.opendns.com. 2620:0:cc7::76
>
> m73.fra.opendns.com. 2620:0:cc7::77
>
> m77.fra.opendns.com. 2620:0:cc7::78
>
> m25.nyc.opendns.com. 2620:0:cc9::65
>
> m29.nyc.opendns.com. 2620:0:cc9::66
>
> m33.nyc.opendns.com. 2620:0:cc9::67
>
> m37.nyc.opendns.com. 2620:0:cc9::68
>
> m41.nyc.opendns.com. 2620:0:cc9::69
>
> m45.nyc.opendns.com. 2620:0:cc9::70
>
> m49.nyc.opendns.com. 2620:0:cc9::71
>
> m53.nyc.opendns.com. 2620:0:cc9::72
>
> m57.nyc.opendns.com. 2620:0:cc9::73
>
> m61.nyc.opendns.com. 2620:0:cc9::74
>
> m13.sin.opendns.com. 2620:0:cca::64
>
> m17.sin.opendns.com. 2620:0:cca::65
>
> m21.sin.opendns.com. 2620:0:cca::66
>
> m25.sin.opendns.com. 2620:0:cca::67
>
> m29.sin.opendns.com. 2620:0:cca::68
>
> m33.sin.opendns.com. 2620:0:cca::69
>
> m37.sin.opendns.com. 2620:0:cca::70
>
> m41.sin.opendns.com. 2620:0:cca::71
>
> m45.sin.opendns.com. 2620:0:cca::72
>
> m49.sin.opendns.com. 2620:0:cca::73
>
> m53.sin.opendns.com. 2620:0:cca::74
>
> m57.sin.opendns.com. 2620:0:cca::75
>
> m61.sin.opendns.com. 2620:0:cca::76
>
> m65.sin.opendns.com. 2620:0:cca::77
>
> m1.yyz.opendns.com. 2620:119:10::11
>
> m3.yyz.opendns.com. 2620:119:10::13
>
> m5.yyz.opendns.com. 2620:119:10::15
>
> m7.yyz.opendns.com. 2620:119:10::17
>
> m9.yyz.opendns.com. 2620:119:10::19
>
> m11.yyz.opendns.com. 2620:119:10::21
>
> m17.yyz.opendns.com. 2620:119:10::64
>
> m21.yyz.opendns.com. 2620:119:10::65
>
> m25.yyz.opendns.com. 2620:119:10::66
>
> m29.yyz.opendns.com. 2620:119:10::67
>
> m33.yyz.opendns.com. 2620:119:10::68
>
> m37.yyz.opendns.com. 2620:119:10::69
>
> m41.yyz.opendns.com. 2620:119:10::70
>
> m49.yyz.opendns.com. 2620:119:10::72
>
> m53.yyz.opendns.com. 2620:119:10::73
>
> m21.sea.opendns.com. 2620:119:12::31
>
> m25.sea.opendns.com. 2620:119:12::36
>
> m29.sea.opendns.com. 2620:119:12::61
>
> m33.sea.opendns.com. 2620:119:12::66
>
> m41.sea.opendns.com. 2620:119:12::76
>
> m45.sea.opendns.com. 2620:119:12::81
>
> m49.sea.opendns.com. 2620:119:12::86
>
> m17.lon.opendns.com. 2a04:e4c0:10::64
>
> m21.lon.opendns.com. 2a04:e4c0:10::65
>
> m25.lon.opendns.com. 2a04:e4c0:10::66
>
> m29.lon.opendns.com. 2a04:e4c0:10::67
>
> m33.lon.opendns.com. 2a04:e4c0:10::68
>
> m37.lon.opendns.com. 2a04:e4c0:10::69
>
> m41.lon.opendns.com. 2a04:e4c0:10::70
>
> m45.lon.opendns.com. 2a04:e4c0:10::71
>
> m49.lon.opendns.com. 2a04:e4c0:10::72
>
> m53.lon.opendns.com. 2a04:e4c0:10::73
>
> m57.lon.opendns.com. 2a04:e4c0:10::74
>
> m61.lon.opendns.com. 2a04:e4c0:10::75
>
> m65.lon.opendns.com. 2a04:e4c0:10::76
>
> m69.lon.opendns.com. 2a04:e4c0:10::77
>
> m73.lon.opendns.com. 2a04:e4c0:10::78
>
> m77.lon.opendns.com. 2a04:e4c0:10::79
>
> m5.nrt.opendns.com. 2a04:e4c0:20::15
>
> m7.nrt.opendns.com. 2a04:e4c0:20::17
>
> m9.nrt.opendns.com. 2a04:e4c0:20::19
>
> m11.nrt.opendns.com. 2a04:e4c0:20::21
>
> m17.nrt.opendns.com. 2a04:e4c0:20::64
>
> m21.nrt.opendns.com. 2a04:e4c0:20::65
>
> m25.nrt.opendns.com. 2a04:e4c0:20::66
>
> m29.nrt.opendns.com. 2a04:e4c0:20::67
>
> m33.nrt.opendns.com. 2a04:e4c0:20::68
>
> m37.nrt.opendns.com. 2a04:e4c0:20::69
>
> m41.nrt.opendns.com. 2a04:e4c0:20::70
>
> m45.nrt.opendns.com. 2a04:e4c0:20::71
>
> m49.nrt.opendns.com. 2a04:e4c0:20::72
>
> m53.nrt.opendns.com. 2a04:e4c0:20::73
>
> m80.sjc.opendns.com. 67.215.95.91
>
> m81.sjc.opendns.com. 67.215.95.92
>
> m82.sjc.opendns.com. 67.215.95.93
>
> m83.sjc.opendns.com. 67.215.95.94
>
> // Hans
>
> -----Original Message-----
> From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf
> Of Antoine JOUBERT
> Sent: Thursday, March 7, 2019 12:17 PM
> To: dns-operations at dns-oarc.net
> Subject: [dns-operations] Large amount of queries received from OpenDNS
>
> Hi,
>
> We've been receiving a large amount of queries from OpenDNS over the
> last month or so.
>
> It looks like dictionary-based zone enumeration, but each record is
> requested between 10 and 20 times.
>
> Is anybody else seeing the same behavior from OpenDNS's resolvers?
>
> I've tried contacting them multiple times on their abuse mailbox
> (abuse at opendns.com <mailto:abuse at opendns.com>), but I've not received
> a reply yet.
>
> Could anyone provide me with an alternate contact that could look into
> this issue?
>
> Thanks!
>
> Antoine
>
> _______________________________________________
>
> dns-operations mailing list
>
> dns-operations at lists.dns-oarc.net
> <mailto:dns-operations at lists.dns-oarc.net>
>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
> dns-operations mailing list
>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190307/d78c81cd/attachment.html>
More information about the dns-operations
mailing list