[dns-operations] You live in a dump, Quoyle!

Mark Delany b9w at charlie.emu.st
Wed Feb 23 19:00:26 UTC 2022


On 22Feb22, Ulrich Wisser allegedly wrote:

> The quarries for TXT/a.b.qnamemin-test.nlnetlabs.nl
> ... from a Swedish research project... Rapid7

Thanks Ulrich. The traffic does have the profile of some form of organized monitoring
rather than the typical reflection attack.

Having said that, do you know why Rapid7 need to probe the same IP address some 60 times a
day to make their determinations? And why they are querying a fake nlnetlabs.nl name
rather than using a real one of their own? Or are they running under the auspices of
nlnetlabs?

Most of the "legit" monitoring I see generally use a domain name which makes it pretty
clear who it is and what they are doing; "researchscan541.eecs.umich.edu" and
"dns-test.research.a10protects.com" for example.


Not that it really matters, mostly I'm just trying to understand as much of the traffic as
I can.


Mark.



More information about the dns-operations mailing list