One of the IPs ( 213.159.0.55 ) is an open PowerDNS recursor -- you could ask on the PDNS list, I've had great success getting intelligent responses from there.
On Tue, Apr 2, 2013 at 6:37 PM, Jon Lewis <[email protected]> wrote: > On Tue, 2 Apr 2013, John Kristoff wrote: > > I never bothered to get to the bottom of it, but I'm still curious. >> Since it has been going on for years, presuming we're talking about the >> same thing, which I'm confident we are, I wonder if there is some >> specific custom code that is generating this stuff. Is it for a >> particular BL, BL user maybe? What else is in common? Any particular >> source network, node type? Maybe there is just some common code doing >> the look ups and it happens to pad the message with null bytes? >> > > I've seen it for traffic to both Spamhaus and NJABL rbldnsd servers. The > only commonality I noticed was the few that answered version.bind queries > reported being Microsoft DNS. i.e. > > Microsoft DNS 6.1.7601 (1DB14556) > Microsoft DNS 6.0.6002 (1772487D) > > Maybe someone at MS misread the RFC and thought 512 bytes was the minimum > size permitted for a UDP DNS query. :) > Maybe someone like this character: > http://stackoverflow.com/**questions/12083628/make-a-512-** > udp-bytes-dns-request<http://stackoverflow.com/questions/12083628/make-a-512-udp-bytes-dns-request> > > Here's a list of servers seen sending such queries while I composed this > message. > > 66.162.165.171 > 72.18.139.226 > 202.71.102.164 > 98.174.25.29 > 50.76.25.65 > 208.94.244.162 > 209.200.117.169 > 64.25.2.89 > 195.178.14.46 > 203.223.132.39 > 23.25.209.82 > 213.159.0.55 > 68.179.124.241 > 68.179.84.153 > 67.199.120.52 > 202.157.186.216 > 202.71.103.16 > > > ------------------------------**------------------------------**---------- > Jon Lewis, MCP :) | I route > | therefore you are > _________ > http://www.lewis.org/~jlewis/**pgp<http://www.lewis.org/~jlewis/pgp>for PGP > public key_________ > ______________________________**_________________ > dns-operations mailing list > [email protected].**net <[email protected]> > https://lists.dns-oarc.net/**mailman/listinfo/dns-**operations<https://lists.dns-oarc.net/mailman/listinfo/dns-operations> > dns-jobs mailing list > https://lists.dns-oarc.net/**mailman/listinfo/dns-jobs<https://lists.dns-oarc.net/mailman/listinfo/dns-jobs> > -- Augie Schwer - [email protected] - http://schwer.us
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
