[dns-operations] DNS measurement traffic etiquette
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Dec 22 05:45:16 UTC 2022
On Wed, Dec 21, 2022 at 06:27:29PM -0800, Andreas Ott wrote:
> What are my best options to find out who is behind all this traffic when it
> comes from anonymous sources?
Probably not worth your time, but you could ask the cloud provider abuse
teams to look into this for you.
> For how long should I expect this query traffic to continue?
For a long time. FWIW, some Internet measurement operatios do use
reasonabl best-practices. I drop all NXDOMAIN name from future
DNSSEC/DANE survey measurements. The signed names within ~24 hours, and
the not signed names within ~7 days. And where I have authoritative
data from a registry (e.g. via CZDS, and a handful of ccTLDs) that
removes the need for periodic checks of live, but not yet signed
domains. I also don't look below the eTLD+1 zone apex.
The only problem area is that some domains "expire" from their
registrar/DNS operator (which starts returning REFUSED), but remain
listed in the parent ccTLD zone for months. There's O(50k) (out of 20.5
million) names I'd love to definitively drop, but can't because the
parent zone is a bit of a roach motel.
Since you are actually returning NXDOMAIN and not REFUSED, it doesn't
take much effort to avoid repeatedly querying for these, but I guess the
incentives don't line up for some...
--
Viktor.
More information about the dns-operations
mailing list