On 22Feb22, Ulrich Wisser allegedly wrote: > The quarries for TXT/a.b.qnamemin-test.nlnetlabs.nl > ... from a Swedish research project... Rapid7
Thanks Ulrich. The traffic does have the profile of some form of organized monitoring rather than the typical reflection attack. Having said that, do you know why Rapid7 need to probe the same IP address some 60 times a day to make their determinations? And why they are querying a fake nlnetlabs.nl name rather than using a real one of their own? Or are they running under the auspices of nlnetlabs? Most of the "legit" monitoring I see generally use a domain name which makes it pretty clear who it is and what they are doing; "researchscan541.eecs.umich.edu" and "dns-test.research.a10protects.com" for example. Not that it really matters, mostly I'm just trying to understand as much of the traffic as I can. Mark. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
