I'd be very interested in what others find. I do have an update and correction to my original post:
The format is 9chars.8chars - as an example: qjnqrtfun.wxsifmgj Sometimes a colon appears, so the char list seems to be [a-z:] Also, I was wrong about the FQDN - they do appear in named/bind logs - so whatever app it is, the suffix search order is being used. My apologies for the incorrect info the first time. Thre are a couple clients that do this - so thanks for the tip AlanC, I will look for a pattern. Other than that, I'm stumped. Thanks for any hints provided!! ponga On Dec 15, 3:05 pm, Alan Clegg <alan_cl...@isc.org> wrote: > This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > --===============8205490644561799063== > Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; > boundary="------------enigFED1ACD7ADB6EFE6DBD2651F" > > This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > --------------enigFED1ACD7ADB6EFE6DBD2651F > Content-Type: text/plain; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > ponga2...@gmail.com wrote: > > I'm seeing name queries from a couple clients on the network that > > occur around every two minutes - the queries are evidently random and > > are looking for A IN records of this form, as an example: > >=20 > > ungzbvyf.lzghmccim > >=20 > > They always look like this, 8 lowercase chars, dot, then 9 lowercase > > chars - never an FQDN. > > I can't find what this might be - has anyone seen this before or have > > any ideas? > > I've seen this and told a couple of people, but nobody has really shown > interest. > > In addition to the regular format that you see, I've also picked up a > pattern when you start seeing the queries from multiple sources... > > I'll be more than happy to start collecting data again if anyone has > interest. > > AlanC > > --------------enigFED1ACD7ADB6EFE6DBD2651F > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: OpenPGP digital signature > Content-Disposition: attachment; filename="signature.asc" > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAklG1K4ACgkQcKpYUrUDCYfXbACgqRz5Fun88QI4Vd5cT+HkDfoM > 4vYAnAkWYFdminMBqCzD/bIuPZ58zqA3 > =eO8g > -----END PGP SIGNATURE----- > > --------------enigFED1ACD7ADB6EFE6DBD2651F-- > > --===============8205490644561799063== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > bind-users mailing list > bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > --===============8205490644561799063==-- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users