out of curiousity, you might look at the dns queries getting rejected by
your firewall. in the example below, note that i don't use the all-zeroes
host address on any of my subnets.
root@fw1:/home/vixie # dnscap -p -i ipfw0 -g -
[57] 2021-03-20 08:27:53.537554 [#0 ipfw0 4095] \
[128.119.245.101].52482 [24.104.150.0].53 \
dns QUERY,NOERROR,40885,rd \
1 xvideos.com,IN,AAAA 0 0 0
^C
dnscap: signalled break
most of the folks scanning me guess a non-zero host field:
[59] 2021-03-20 08:31:50.706174 [#0 ipfw0 4095] \
[47.254.120.156].47204 [24.104.128.146].53 \
dns QUERY,NOERROR,55452,rd \
1 www.yahoo.com,IN,A 0 0 0
[56] 2021-03-20 08:31:52.571584 [#1 ipfw0 4095] \
[88.80.186.137].18127 [24.104.150.171].53 \
dns QUERY,NOERROR,8792,rd \
1 amazon.com,IN,A 0 0 0
[52] 2021-03-20 08:31:57.003934 [#2 ipfw0 4095] \
[143.198.215.243].983 [24.104.150.157].53 \
dns QUERY,NOERROR,2,rd \
1 vtk.be,IN,ANY 0 0 0
none of these addresses has ever offered any kind of name service.
watching the watchers is a little bit fun.
--
Paul Vixie
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
