Randy, thanks for sharing, I didn't know this is actually done. Any idea if they use something clever or just exhaustive search? thanks Amir -- Amir Herzberg
Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/cybersecurity On Tue, Oct 31, 2023 at 6:49 PM Randy Bush <ra...@psg.com> wrote: > i have blocked a zone enumerator, though i guess they will be a > whack-a-mole > > others have reported them as well > > /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes > 22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? > 33j4h.org.al. (30) > 22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? > 33m6d.xn--mgbayh7gpa. (38) > 22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn. > (26) > 22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo. > (26) > 22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb. > (26) > 22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az. > (26) > 22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? > 33nc5.com.al. (30) > 22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz. > (26) > 22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS? > 33q5p.com.al. (30) > 22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS? > 33qbq.com.al. (30) > 10 packets captured > 124 packets received by filter > 0 packets dropped by kernel > > inetnum: 193.235.141.0 - 193.235.141.255 > netname: domaincrawler-hosting > descr: domaincrawler hosting > org: ORG-ABUS1196-RIPE > country: SE > admin-c: VIJE1-RIPE > tech-c: VIJE1-RIPE > status: ASSIGNED PA > notify: c+1...@resilans.se > mnt-by: RESILANS-MNT > mnt-routes: ETTNET-LIR > created: 2008-04-03T11:21:00Z > last-modified: 2017-04-10T12:47:06Z > source: RIPE > > randy >