Could be DNS packet tunneling to China, bad news. https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152
-----Original Message----- From: Christopher Hunt [mailto:dharmach...@gmail.com] Sent: Monday, September 23, 2013 11:55 AM To: nanog@nanog.org Subject: d6991.com traffic Beginning about 0900UTC we began seeing about 50x our usual DNS traffic. 75% of the traffic is for d6991.com. Does anyone else see this? Who are these folks (WEBNIC.CC)? -chris --- Please refer to http://www.amherst.com/amherst-email-disclaimer/ for important disclosures regarding this electronic communication.
