TL;DR: Only returning _BLOCKED result lead to an increase in query rate of roughly 25% (over two full weeks), especially from „consistent overusers". The number of consistent overusers is growing slower (+7%) than their query volume.
>> * 332’000 sources querying list.dnswl.org <http://list.dnswl.org/> zone in >> the past 30 days >> * of those, 13’100 sources have been doing more than 30 * 100’000 queries >> (ie, "consistent overusers“, and not just those who have a spike once in a >> while) >> * 273 * 10^9 queries over the past 30 days overall >> * Of these, ca 75% of the queries (200 * 10^9) have been issued by the >> 13’100 „consistent overusers“ > > > * 353’000 sources querying the zone in the past 30 days, of which there are > 15’000 consistent overusers > * 287 * 10^9 queries over the past days, ie an increase of ca 5% (this is for > the previous 30 days in both cases, and not just the previous week) > * 224 * 10^9 by the „consistent overusers“, ca 78% (three percentage points > increase) Two weeks after changing to _BLOCKED only: * 353’000 sources, of which there are close to 16’000 consistent overusers, ca +7% over baseline * 336 * 10^9 total queries, increase of ca 23% over the baseline * 252 * 10^9 overuser queries, ca 75% of the total query volume (back to baseline), but an increase in total volume of 25% > [One week after:] > mag count > 500 18 > 250 76 > 100 161 > 50 494 > 25 1011 > 10 3133 > 5 4513 > 3 5621 > 1 337992 Two weeks after: mag count 500 20 250 84 100 175 50 564 25 1120 10 3333 5 5032 3 6048 1 336643 > * mag = number of queries over the past 30 days, in millions (10^6) > * count = number of sources seen (which will equal to fewer actual > „responsibles“ due to numerous IPs being used by eg Google & Co) > * regular limit of 30 * 100’000 would be 3 * 10^6 In the top 100 or so query sources, we see a lot of AWS and „Googleusercontent“, some OpenDNS and Google DNS. Quite a lot of missing PTR where whois suggests they could be either Google DNS or some big hoster DNS. Sendgrid(?). as250.net (hey guys, talk to us, we’ll give you rsync access for free ;) ). A number of commercial security services providers which should definitely know better. We also notice that very few consistent overusers have stopped or greatly reduced queries (ie, monthly volume >> 100 * 10^6, last daily volumes near or equal zero). Some is evasion (a nearby IP picked up traffic), some is actual change (at least as far as we can tell, they could still be active in „far away“ IP ranges which we can not easily link together). — Matthias
