On Sun, 2 Feb 2020, Matthias Leisi via mailop wrote:
At dnswl.org, we collect (DNS) logs to identify abusers of our
service. During last week, the logs increased by a factor of 10
(usually this is pretty stable, going up an down a few percents), so
we thought weâd investigate. And we found something new (to us).
From one particular IPv6 range, each and every DNS query was sent
from a unique IPv6 /128, and every /128 seen was used exactly once.
Since we do not correlate source and question of DNS queries
received (for privacy reasons), we can not tell what exactly was
being asked. We can work around this issue in a number of ways (by
blocking them from our DNS servers, excluding them from the log
aggregation etc), so no direct harm here. However, if such behaviour
becomes more widespread, it may have a number of collateral effects
(for DNS caches, in log handling, in reputation management systems
etc).
Is this something others have seen as well (either on the DNSxL
lookup side, or in SMTP connections)?
I've not seen this.
It is traditional for IPs to allocate a /64 to each end user.
I'd suggest either just logging the /64 of each query, or perhaps
rate limit logging by /64, so that you still notice oddities like this.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
