Hello, We run a public resolver and a few days ago I noticed a lot of very weird queries, like the following:
16:11:41.450794 IP 217.195.66.253.37426 > 62.76.76.62.53: 42580+ A? swfjwvtkhqx.www.feile8888.com. (47) 16:11:41.450796 IP 91.209.124.75.50584 > 62.76.76.62.53: 37269+ [1au] A? izhsccxedub.www.feile666.com. (57) For the total amount of SLDs of 11, the only common in those queries are random labels on the left side. One of those SLDs is an online-shop, another is online-casino, so I concluded that our resolver is being used to bombard NSes of corresponding SLDs with queries. I'd like to ask the respected community, how do you detect and protect against such activity? Will RRL help me if all suspected queries come with random qname? Thank you in advance. -- Is there any problem Exterminatus cannot solve? I have not found one yet. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
