Hello Since a few hours we see quite a large volume of MX queries on our TLD as well as 2nd-level name-servers.
See attached pictures: dsc-tld-nameserver.png and dsc-2nd-levelnameserver.png One of the more prominent client which sends queries to both nameserver is the IP address 203.45.217.122 (anders51.lnk.telstra.net.) The IP is not listed on a Spamhaus blacklist (http://www.spamhaus.org/query/bl?ip=203.45.217.122). The query details look like this on the TLD nameserver: "ip_ttl","src_port","qname" ,"type","msg_id","msg_size","rd" 107 ,23173 ,"bittorrents24.ch." ,"MX" ,2 ,34 ,1 107 ,46272 ,"1h8g4qg54n.ch." ,"MX" ,81 ,31 ,1 107 ,6066 ,"engorgef.ch." ,"MX" ,170 ,29 ,1 107 ,39264 ,"telecool.ch." ,"MX" ,157 ,29 ,1 107 ,18894 ,"babaz.ch." ,"MX" ,96 ,26 ,1 107 ,19137 ,"badassteens.ch." ,"MX" ,148 ,32 ,1 107 ,43440 ,"bamiabear.ch." ,"MX" ,55 ,30 ,1 107 ,46299 ,"mail2reggie.ch." ,"MX" ,183 ,32 ,1 107 ,36840 ,"beckercap.ch." ,"MX" ,86 ,30 ,1 107 ,34205 ,"fgaieojkxl.ch." ,"MX" ,44 ,31 ,1 107 ,15345 ,"hayoz-holzbau.ch.ch.","MX" ,144 ,37 ,1 107 ,33808 ,"bibulous.ch." ,"MX" ,133 ,29 ,1 107 ,6606 ,"bcbsnc.ch." ,"MX" ,46 ,27 ,1 and like this on the 2nd-level nameserver: "ip_ttl","src_port","qname" ,"type","msg_id","msg_size","rd" 107 ,27413 ,"rgac2.ethz.ch." ,"MX" ,84 ,31 ,1 107 ,62537 ,"sp052.cern.ch." ,"MX" ,217 ,31 ,1 106 ,65441 ,"sunpdp20.cern.ch." ,"MX" ,55 ,34 ,1 107 ,52398 ,"hecvsante.ch." ,"MX" ,172 ,30 ,1 106 ,20194 ,"sunpdp20.cern.ch." ,"MX" ,149 ,34 ,1 107 ,45914 ,"rgac2.ethz.ch." ,"MX" ,1 ,31 ,1 107 ,24860 ,"sp052.cern.ch." ,"MX" ,117 ,31 ,1 106 ,50578 ,"rgac2.ethz.ch." ,"MX" ,85 ,31 ,1 106 ,40725 ,"sp052.cern.ch." ,"MX" ,70 ,31 ,1 107 ,48133 ,"sunpdp20.cern.ch." ,"MX" ,53 ,34 ,1 106 ,3974 ,"vxcrna.cern.ch." ,"MX" ,43 ,32 ,1 So, its clearly not normal resolver behavior as the query question is not repeated and the RD bit is set (EDNS0 and DO bit is not used/set). The client is using a large number of different domains and so evading DNS-RRL. For example, within 15 minutes 3070 different query-names are used. Within 60 minutes 4716 and within 4 hours 11193 different query-names. The query-name which is repeated most is asked every 6-7 seconds. Has anyone an idea what the source of this traffic pattern is? It's also interesting to note that quite a lot of 2nd-level queries result in NXDOMAIN responses. Best regards, Daniel -- SWITCH Daniel Stirnimann, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 16 24, fax +41 44 268 15 78 [email protected], http://www.switch.ch Security-Blog: http://securityblog.switch.ch
<<attachment: dsc-2nd-level-nameserver.png>>
<<attachment: dsc-tld-nameserver.png>>
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
