On Sat, 15 Mar 2025 12:12:17 +0100 Hans Mayer via dns-operations <[email protected]> wrote:
> I saw in the past increased queries for random names. For example > from this IP 60.26.63.253 We (Dataplane.org) have been seeing this as well. It currently shows up in our signal feed here: <https://dataplane.org/signals/dnsrd.txt> > Any ideas for what this should be useful ? Not off the top of my head. It does not appear to be a real resolver, in the sense that it is probably just some stateless scanner. Always UDP, rd is set, source port is usually of a limited range (e.g., 60001 - 60004). If they are looking for DNS responses, maybe it is looking for a referral as opposed to negative responses for the purposes of finding some amplification? Or just inventorying destinations that return a well-formed DNS response? John _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
