[dns-operations] You live in a dump, Quoyle!

Willem Toorop willem at nlnetlabs.nl
Wed Feb 23 20:58:42 UTC 2022


Op 23-02-2022 om 20:00 schreef Mark Delany:
> On 22Feb22, Ulrich Wisser allegedly wrote:
> 
>> The quarries for TXT/a.b.qnamemin-test.nlnetlabs.nl
>> ... from a Swedish research project... Rapid7
> 
> Thanks Ulrich. The traffic does have the profile of some form of organized monitoring
> rather than the typical reflection attack.
> 
> Having said that, do you know why Rapid7 need to probe the same IP address some 60 times a
> day to make their determinations? And why they are querying a fake nlnetlabs.nl name
> rather than using a real one of their own? Or are they running under the auspices of
> nlnetlabs?

Yes, sorry it didn't come to my mind earlier, but I have indeed been in
contact with the PhD student doing the research project and I've
probably suggested and mentioned the usability of this name for the
measurements; as an alternative to our own (NLnet Labs')
TXT/qnamemintest.internet.nl queries because it is less prone to false
positives, and probably also to distinguish these measurements from the
ones performed form RIPE Atlas.

I realized it again when I saw Ulrich's reply!



More information about the dns-operations mailing list