On 04/26/15 22:46, Roland Dobbins wrote: > > On 27 Apr 2015, at 11:56, Randy Bush wrote: > >> looks normal except the server is not (supposed to be) recursive > > It would be really interesting to see the actual RRs being queried - see > if they look like some of the prepending attacks we've seen, or > something else.
+1 > Most of the prepending attacks are for A records, AFAIK. The addresses Randy shared appear to be the backed queriers of the public authoritative services. It would also be interesting to see the TTLs of the things being queried, since one of the reasons you'll tend to get repeated queries from those servers is low/zero TTLs combined with someone's attempt at leverage (e.g. generating large responses from the public recursive services). I am thinking the front-ends here could be Google Public DNS, Nomimum SKYE, and similar, although I am not completely sure. michael _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
