[dns-operations] You live in a dump, Quoyle!

Ulrich Wisser ulrich at wisser.se
Tue Feb 22 20:31:36 UTC 2022 

Hi Mark,

The quarries for TXT/a.b.qnamemin-test.nlnetlabs.nl <http://a.b.qnamemin-test.nlnetlabs.nl/> are not coming from NLnetlabs but from a Swedish research project.
Rapid7 produces a list of ip addresses with alleged resolvers on port 53.
We check all those resolvers for min.


/Ulrich



> On 13 Feb 2022, at 06:38, Mark Delany <b9w at charlie.emu.st> wrote:
> 
> (A free DNS lookup for anyone who remembers that movie quote).
> 
> I guess I'm just lamenting how much junk DNS traffic there is "out there". I know, I
> know. Old news.
> 
> I recently built a toy server to experiment with configless ipv6 reverse answers and a
> side-effect is that I scrutinized all the queries for an extended period. Big mistake!
> 
> Apart from the incessant, apparent DDOS to ANY/pizzaseo.com, ANY/peacecorps.gov and the
> like thrown at all port 53 ipv4 addresses, there is also the inexplicable and also
> incessant ANY/sl. queries. What they do or who they are meant to hurt, I have no clue.
> 
> But even the good guys are pretty unrelenting:
> 
> I see 60+ queries per day, every day for TXT/a.b.qnamemin-test.nlnetlabs.nl coming from
> just three AWS instances. Is that really nlnetlabs? If so, what are they hoping to
> measure?
> 
> Similarly:
> 
> 30/day A/ip.parrotdns.com by censys-scanner.com
> 24/day A/cb00780e.asert-dns-research.com
> 
> And what hetzner.com are up to I also have no clue, but they're pretty incessantly sending
> qmin type A queries.
> 
> I know that the reverse range being queried is not very active, so these reverse queries
> are definitely not being triggered by outbound connections.
> 
> Speaking of qname minimization, hoy boy, do they generate a lot of extra queries in the
> ipv6 reverse tree! I do wonder what secrets are being kept safe by not telling a parent
> name server what lower level PTR someone is after, but I'm sure there's good justification
> for it.
> 
> Not that it's a lot of traffic and I know there is zero I can do about it, but I'm down to
> 30% of queries actually returning an answer, with >50% returning qmin NOERRORs and the rest
> REFUSED.
> 
> 
> Bah humbug.
> 
> 
> Mark.
> 
> PS. Rotten Tomatoes gets it wrong with this one.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220222/c93abb3e/attachment.html>

More information about the dns-operations mailing list