On Wed, 13 Jan 2021 10:21:19 +0100
Alessandro Vesely <ves...@tana.it> wrote:
> Yesterday I got 42639 of those, from 41 different IPs, the most frequent
> clients looking like so:
> 821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]*
> ([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at
> .........bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c
> |sort -rn |head
> 4957 68.42.225.19
> 2914 73.73.73.73
> 2868 24.21.125.251
> 2783 193.70.81.112
> 2440 73.73.3.73
> 2273 101.71.138.9
> 2032 74.74.74.8
> 1814 98.25.235.45
> 1785 209.94.134.20
> 1756 73.109.143.81
Through a side project I report on IN ANY queries and have seen all of
those addresses and more as you can examine here:
<https://dataplane.org/dnsrdany.txt>
Some may be sourced from a security/research survey project, but some
sources performing this may be for more nefarious purposes - building a
list of open resolvers that will answer for the purposes of maintaining
an amplication/reflection hit list.
Unfortunately there are many open resolvers that answer, but perhaps
except for a name you are authoritative for, responding with a REFUSED
response is generally considered reasonable and appropriate.
John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
