Op 23-02-2022 om 20:00 schreef Mark Delany: > On 22Feb22, Ulrich Wisser allegedly wrote: > >> The quarries for TXT/a.b.qnamemin-test.nlnetlabs.nl >> ... from a Swedish research project... Rapid7 > > Thanks Ulrich. The traffic does have the profile of some form of organized > monitoring > rather than the typical reflection attack. > > Having said that, do you know why Rapid7 need to probe the same IP address > some 60 times a > day to make their determinations? And why they are querying a fake > nlnetlabs.nl name > rather than using a real one of their own? Or are they running under the > auspices of > nlnetlabs?
Yes, sorry it didn't come to my mind earlier, but I have indeed been in contact with the PhD student doing the research project and I've probably suggested and mentioned the usability of this name for the measurements; as an alternative to our own (NLnet Labs') TXT/qnamemintest.internet.nl queries because it is less prone to false positives, and probably also to distinguish these measurements from the ones performed form RIPE Atlas. I realized it again when I saw Ulrich's reply! _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
