subject:"Re\: swedish dns zone enumerator"

Re: swedish dns zone enumerator

2023-11-02 Thread Mark Andrews

> On 2 Nov 2023, at 20:25, Stephane Bortzmeyer  wrote:
> 
> On Thu, Nov 02, 2023 at 04:09:24PM +1100,
> Mark Andrews  wrote 
> a message of 90 lines which said:
> 
>> I also see QNAME minimisation in action as the QTYPE is NS.  This
>> could just be a open recursive servers using QNAME minimisation.
>> With QNAME minimisation working correctly all parent zones should
>> see is NS queries with the occasional DNSKEY and DS query.  Both
>> BIND and Knot use NS queries for QNAME minimisation.
> 
> I disagree. NS queries were used in the first RFC about QNAME
> minimisation (which was experimental) but the current one (which is on
> the standards track) now recommends A or  queries
> , specially section 2.1.

The QTYPE selection is always a matter of trade offs.  NS is still
perfectly fine and it is the ONLY type that actually works in a number
of scenarios.  Additionally the number of servers that don’t respond
to NS queries is remarkably small and decreasing.  More of an issue
is garbage NS RRsets below the zone cut.  A queries work well when there
is a zone cut at each label.  They don’t work well when there isn’t
a zone cut.  You get back nothing to say that there isn’t a zone cut
which leaves you needing to do the discovery on the next query to the
zone, and the next query to the zone, etc.  This leads to complaints
that you aren’t caching A (or whatever type you chose) queries. 

>> Other query types and/or prefixes do not work as they have
>> undesirable side effects.
> 
> Rather the contrary, some broken firewalls in front of authoritative
> name servers were crashing when using NS queries. Hence the choice of
> address queries. (Also, it improves privacy since it makes more
> difficult to see you are doing QNAME minimisation.)

Hiding that you are doing QNAME minimisation is a non issue. As for
firewalls crashing.  The more they crash the sooner they get fixed,
it’s been years now.  

>> I would not like anyone to take seeing mostly NS queries as any
>> evidence of bad practice.
> 
> We agree here.
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: swedish dns zone enumerator

2023-11-02 Thread John McCormac


On 02/11/2023 05:15, Randy Bush wrote:

ya, right,  and at a whole bunch of other cctld servers

from a network called domaincrawler-hosting

It looks like a list based attempt to discover domain names registered 
in some small ccTLDs. The problem with some of the queries is that a few 
of the second level subdomains of those ccTLDs have just hundreds of 
registrations. Not sure if it is an DNSSEC based attack.


Unlike the gTLDs, available via the ICANN CZDS, most ccTLDs don't 
provide access to their zone files. Some of the queries are odd because 
it seems to be applying lists from Swedish or German language sources to 
small ccTLDs where the main languages of the countries are not Swedish 
or German. Some of those domain name strings don't exist in the gTLDs. A 
few of the examples don't exist in the .SE or .DE ccTLDs either.


The ccTLDs become more "unique" when the main language of their country 
is not English. As a ccTLD's market evolves, registrants will often 
decide to only register in their ccTLD rather than in .COM or other 
gTLDs. The percentage of these unique registrations, as opposed to 
registrations having an equivalent in the gTLDs, can be upwards of 15%. 
The percentage is also affected by economic conditions in the ccTLD's 
market and the price of a ccTLD registration compared to a .COM 
registration. The problems for a list based dns enumeration on these 
small ccTLDs are that there is a lot of them and they are small.


It might be an idea to contact Domaincrawler(.)com and ask what it is 
doing.


Regards...jmcc
--
**
John McCormac  *  e-mail: j...@hosterstats.com
MC2*  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford  *  Domnomics - the business of domain names
Ireland*  https://amzn.to/2OPtEIO
IE *  Skype: hosterstats.com
**


--
This email has been checked for viruses by Avast antivirus software.
www.avast.com

Re: swedish dns zone enumerator

2023-11-02 Thread Randy Bush

> I might be reading this wrong, but I don't think the point Randy was
> trying to make was 'NS queries are an attack', 'UDP packets are an
> attack' or 'IP packets are an attack' . I base this on the list of
> queries Randy decided to include as relevant to the thesis Randy was
> trying to make, instead of wholesale warning of IP, UDP or NS queries.

i was warning of an ndrek3 enumeration attack from the source netblock's
ip space

i am far from an expert in ndrek3 enumeration.  but i naïvely assume
that most tld rrs are ns so that is what they're after.  but, as you
say, that is beside the point.

randy

Re: swedish dns zone enumerator

2023-11-02 Thread Stephane Bortzmeyer

On Thu, Nov 02, 2023 at 04:09:24PM +1100,
 Mark Andrews  wrote 
 a message of 90 lines which said:

> I also see QNAME minimisation in action as the QTYPE is NS.  This
> could just be a open recursive servers using QNAME minimisation.
> With QNAME minimisation working correctly all parent zones should
> see is NS queries with the occasional DNSKEY and DS query.  Both
> BIND and Knot use NS queries for QNAME minimisation.

I disagree. NS queries were used in the first RFC about QNAME
minimisation (which was experimental) but the current one (which is on
the standards track) now recommends A or  queries
, specially section 2.1.

> Other query types and/or prefixes do not work as they have
> undesirable side effects.

Rather the contrary, some broken firewalls in front of authoritative
name servers were crashing when using NS queries. Hence the choice of
address queries. (Also, it improves privacy since it makes more
difficult to see you are doing QNAME minimisation.)

> I would not like anyone to take seeing mostly NS queries as any
> evidence of bad practice.

We agree here.

Re: swedish dns zone enumerator

2023-11-02 Thread Saku Ytti

On Thu, 2 Nov 2023 at 10:32, Mark Andrews  wrote:

> You missed the point I was trying to make.  While I think that that source is 
> trying to enumerate some part of the namespace.  NS queries by themselves 
> don’t indicate an attack. Others would probably see the series of NS queries 
> as a signature of an attack when they are NOT.  There needs to be much more 
> than that to make that conclusion.

I might be reading this wrong, but I don't think the point Randy was
trying to make was 'NS queries are an attack', 'UDP packets are an
attack' or 'IP packets are an attack' . I base this on the list of
queries Randy decided to include as relevant to the thesis Randy was
trying to make, instead of wholesale warning of IP, UDP or NS queries.

-- 
  ++ytti

Re: swedish dns zone enumerator

2023-11-02 Thread Mark Andrews

You missed the point I was trying to make.  While I think that that source is 
trying to enumerate some part of the namespace.  NS queries by themselves don’t 
indicate an attack. Others would probably see the series of NS queries as a 
signature of an attack when they are NOT.  There needs to be much more than 
that to make that conclusion. 

-- 
Mark Andrews

> On 2 Nov 2023, at 06:15, Randy Bush  wrote:
> 
> ya, right,  and at a whole bunch of other cctld servers
> 
> from a network called domaincrawler-hosting
> 
> shall we smoke another?
> 
> /home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 05:12:30.563268 IP 193.235.141.169.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.com.cu. (33)
> 05:12:30.565017 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? 
> christ-jockel.jo. (34)
> 05:12:30.565660 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.al. (29)
> 05:12:30.566490 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.org.al. (33)
> 05:12:30.566694 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
> christian-luber-jr.net.al. (43)
> 05:12:30.569474 IP 193.235.141.239.32768 > 666.42.7.11.53: 14 NS? 
> clearing-muenchen.eg. (38)
> 05:12:30.571870 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> clearing-muenchen.com.ps. (42)
> 05:12:30.573436 IP 193.235.141.23.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.xn--pgbs0dh. (40)
> 05:12:30.573914 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
> club-lederwerk-neustadt.net.al. (48)
> 05:12:30.574608 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.az. (31)
> 05:12:30.575203 IP 193.235.141.183.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.lb. (31)
> 05:12:30.575356 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? conomix.eg. 
> (28)
> 05:12:30.575950 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 
> conomix.net.ps. (32)
> 05:12:30.577242 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 
> computercheck-online.tn. (41)
> 05:12:30.577800 IP 193.235.141.134.32768 > 666.42.7.11.53: 14 NS? conomix.cu. 
> (28)
> 05:12:30.578272 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
> conomix.net.lb. (32)
> 05:12:30.578480 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? 
> cstreibel.lr. (30)
> 05:12:30.578896 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? 
> cstreibel.org.lb. (34)
> 05:12:30.579060 IP 193.235.141.244.32768 > 666.42.7.11.53: 14 NS? 
> cristallcard.az. (33)
> 05:12:30.580681 IP 193.235.141.11.32768 > 666.42.7.11.53: 14 NS? d-cypher.tn. 
> (29)
> 05:12:30.581812 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> d-cypher.al. (29)
> 05:12:30.582157 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.sz. (33)
> 05:12:30.582381 IP 193.235.141.142.32768 > 666.42.7.11.53: 14 NS? 
> d-cypher.eg. (29)
> 05:12:30.583340 IP 193.235.141.125.32768 > 666.42.7.11.53: 14 NS? 
> damensattel-duesseldorf.net.ps. (48)
> 05:12:30.583439 IP 193.235.141.181.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.az. (33)
> 05:12:30.584078 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.mw. (33)
> 05:12:30.584330 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.org.al. (37)
> 05:12:30.584730 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
> darkroom24.net.al. (35)
> 05:12:30.585506 IP 193.235.141.7.32768 > 666.42.7.11.53: 14 NS? 
> damensattel-duesseldorf.jo. (44)
> 05:12:30.585995 IP 193.235.141.127.32768 > 666.42.7.11.53: 14 NS? 
> dassehen.lr. (29)
> 05:12:30.587759 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
> darkroom24.tn. (31)
> 05:12:30.588076 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
> dgurock.org.al. (32)
> 05:12:30.589055 IP 193.235.141.212.32768 > 666.42.7.11.53: 14 NS? dictys.jo. 
> (27)
> 05:12:30.589640 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? dgurock.az. 
> (28)
> 05:12:30.591432 IP 193.235.141.172.32768 > 666.42.7.11.53: 14 NS? 
> dictys.com.ps. (31)
> 05:12:30.592608 IP 193.235.141.213.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.org.al. (36)
> 05:12:30.593365 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 
> diesling-1.net.al. (35)
> 05:12:30.593814 IP 193.235.141.147.32768 > 666.42.7.11.53: 14 NS? 
> diesling-1.ps. (31)
> 05:12:30.595057 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.net.al. (36)
> 05:12:30.595722 IP 193.235.141.157.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.xn--mgbayh7gpa. (44)
> 05:12:30.596496 IP 193.235.141.135.32768 > 666.42.7.11.53: 14 NS? 
> downbeat-band.com.lb. (38)
> 05:12:30.596898 IP 193.235.141.185.32768 > 666.42.7.11.53: 14 NS? 
> dj-hc-team.sz. (31)
> 05:12:30.598077 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
> dnd-testdomain.net.al. (39)
> 05:12:30.598203 IP 193.235.141.146.32768 > 666.42.7.11.53: 14 NS? 
> dnd-testdomain.net.ps. (39)
> 05:12:30.598338 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS?

Re: swedish dns zone enumerator

2023-11-01 Thread Randy Bush

ya, right,  and at a whole bunch of other cctld servers

from a network called domaincrawler-hosting

shall we smoke another?

/home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
05:12:30.563268 IP 193.235.141.169.32768 > 666.42.7.11.53: 14 NS? 
cgatcity.com.cu. (33)
05:12:30.565017 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? 
christ-jockel.jo. (34)
05:12:30.565660 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? cgatcity.al. 
(29)
05:12:30.566490 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 
cgatcity.org.al. (33)
05:12:30.566694 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
christian-luber-jr.net.al. (43)
05:12:30.569474 IP 193.235.141.239.32768 > 666.42.7.11.53: 14 NS? 
clearing-muenchen.eg. (38)
05:12:30.571870 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
clearing-muenchen.com.ps. (42)
05:12:30.573436 IP 193.235.141.23.32768 > 666.42.7.11.53: 14 NS? 
cofls-welt.xn--pgbs0dh. (40)
05:12:30.573914 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
club-lederwerk-neustadt.net.al. (48)
05:12:30.574608 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? cofls-welt.az. 
(31)
05:12:30.575203 IP 193.235.141.183.32768 > 666.42.7.11.53: 14 NS? 
cofls-welt.lb. (31)
05:12:30.575356 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? conomix.eg. 
(28)
05:12:30.575950 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 
conomix.net.ps. (32)
05:12:30.577242 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 
computercheck-online.tn. (41)
05:12:30.577800 IP 193.235.141.134.32768 > 666.42.7.11.53: 14 NS? conomix.cu. 
(28)
05:12:30.578272 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
conomix.net.lb. (32)
05:12:30.578480 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? cstreibel.lr. 
(30)
05:12:30.578896 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? 
cstreibel.org.lb. (34)
05:12:30.579060 IP 193.235.141.244.32768 > 666.42.7.11.53: 14 NS? 
cristallcard.az. (33)
05:12:30.580681 IP 193.235.141.11.32768 > 666.42.7.11.53: 14 NS? d-cypher.tn. 
(29)
05:12:30.581812 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? d-cypher.al. 
(29)
05:12:30.582157 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
dailycatesse.sz. (33)
05:12:30.582381 IP 193.235.141.142.32768 > 666.42.7.11.53: 14 NS? d-cypher.eg. 
(29)
05:12:30.583340 IP 193.235.141.125.32768 > 666.42.7.11.53: 14 NS? 
damensattel-duesseldorf.net.ps. (48)
05:12:30.583439 IP 193.235.141.181.32768 > 666.42.7.11.53: 14 NS? 
dailycatesse.az. (33)
05:12:30.584078 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
dailycatesse.mw. (33)
05:12:30.584330 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
dailycatesse.org.al. (37)
05:12:30.584730 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
darkroom24.net.al. (35)
05:12:30.585506 IP 193.235.141.7.32768 > 666.42.7.11.53: 14 NS? 
damensattel-duesseldorf.jo. (44)
05:12:30.585995 IP 193.235.141.127.32768 > 666.42.7.11.53: 14 NS? dassehen.lr. 
(29)
05:12:30.587759 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
darkroom24.tn. (31)
05:12:30.588076 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
dgurock.org.al. (32)
05:12:30.589055 IP 193.235.141.212.32768 > 666.42.7.11.53: 14 NS? dictys.jo. 
(27)
05:12:30.589640 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? dgurock.az. 
(28)
05:12:30.591432 IP 193.235.141.172.32768 > 666.42.7.11.53: 14 NS? 
dictys.com.ps. (31)
05:12:30.592608 IP 193.235.141.213.32768 > 666.42.7.11.53: 14 NS? 
disko-thema.org.al. (36)
05:12:30.593365 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 
diesling-1.net.al. (35)
05:12:30.593814 IP 193.235.141.147.32768 > 666.42.7.11.53: 14 NS? 
diesling-1.ps. (31)
05:12:30.595057 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? 
disko-thema.net.al. (36)
05:12:30.595722 IP 193.235.141.157.32768 > 666.42.7.11.53: 14 NS? 
disko-thema.xn--mgbayh7gpa. (44)
05:12:30.596496 IP 193.235.141.135.32768 > 666.42.7.11.53: 14 NS? 
downbeat-band.com.lb. (38)
05:12:30.596898 IP 193.235.141.185.32768 > 666.42.7.11.53: 14 NS? 
dj-hc-team.sz. (31)
05:12:30.598077 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
dnd-testdomain.net.al. (39)
05:12:30.598203 IP 193.235.141.146.32768 > 666.42.7.11.53: 14 NS? 
dnd-testdomain.net.ps. (39)
05:12:30.598338 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? 
druck-hamster.lr. (34)
05:12:30.599224 IP 193.235.141.168.32768 > 666.42.7.11.53: 14 NS? 
druckerei-hilden.az. (37)
05:12:30.602031 IP 193.235.141.45.32768 > 666.42.7.11.53: 14 NS? 
druckerei-hilden.com.lb. (41)
05:12:30.604763 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS? 
drumandy.xn--pgbs0dh. (38)
05:12:30.605420 IP 193.235.141.212.32768 > 666.42.7.11.53: 14 NS? 
dugehoerstmir.tz. (34)
05:12:30.607074 IP 193.235.141.142.32768 > 666.42.7.11.53: 14 NS? 
dugehoerstmir.eg. (34)
05:12:30.607465 IP 193.235.141.152.32768 > 666.42.7.11.53: 14 NS? 
dugehoerstmir.net.lb. (38)
05:12:30.608142 IP

Re: swedish dns zone enumerator

2023-11-01 Thread Mark Andrews

While I see evidence for the claim, 5 character left hand label and all 
non-existant.
I also see QNAME minimisation in action as the QTYPE is NS.  This could just be 
a open
recursive servers using QNAME minimisation.  With QNAME minimisation working 
correctly
all parent zones should see is NS queries with the occasional DNSKEY and DS 
query.  Both
BIND and Knot use NS queries for QNAME minimisation.  Other query types and/or 
prefixes
do not work as they have undesirable side effects.

I would not like anyone to take seeing mostly NS queries as any evidence of bad 
practice.
On the contrary, this is best practice.  It’s just relatively new.

I would also like to remind everyone here that QNAME minimisation using NS 
queries will
expose the bad practice of having mis-matching NS RRsets above and below the 
zone cut and
having garbage NS RRsets in the child zone when both parent and child are 
served by the same
servers.  Please ensure your NS RRsets are consistent on both sides of the zone 
cut and that
they are sane.

Mark

> On 1 Nov 2023, at 09:46, Randy Bush  wrote:
> 
> i have blocked a zone enumerator, though i guess they will be a
> whack-a-mole
> 
> others have reported them as well
> 
> /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 
> 33j4h.org.al. (30)
> 22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 
> 33m6d.xn--mgbayh7gpa. (38)
> 22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn. 
> (26)
> 22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo. 
> (26)
> 22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb. 
> (26)
> 22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az. 
> (26)
> 22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? 
> 33nc5.com.al. (30)
> 22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz. 
> (26)
> 22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS? 
> 33q5p.com.al. (30)
> 22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS? 
> 33qbq.com.al. (30)
> 10 packets captured
> 124 packets received by filter
> 0 packets dropped by kernel
> 
> inetnum:193.235.141.0 - 193.235.141.255
> netname:domaincrawler-hosting
> descr:  domaincrawler hosting
> org:ORG-ABUS1196-RIPE
> country:SE
> admin-c:VIJE1-RIPE
> tech-c: VIJE1-RIPE
> status: ASSIGNED PA
> notify: c+1...@resilans.se
> mnt-by: RESILANS-MNT
> mnt-routes: ETTNET-LIR
> created:2008-04-03T11:21:00Z
> last-modified:  2017-04-10T12:47:06Z
> source: RIPE
> 
> randy

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: swedish dns zone enumerator

2023-11-01 Thread Amir Herzberg

Randy, thanks for sharing, I didn't know this is actually done. Any idea if
they use something clever or just exhaustive search? thanks Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/cybersecurity




On Tue, Oct 31, 2023 at 6:49 PM Randy Bush  wrote:

> i have blocked a zone enumerator, though i guess they will be a
> whack-a-mole
>
> others have reported them as well
>
> /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS?
> 33j4h.org.al. (30)
> 22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS?
> 33m6d.xn--mgbayh7gpa. (38)
> 22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn.
> (26)
> 22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo.
> (26)
> 22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb.
> (26)
> 22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az.
> (26)
> 22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS?
> 33nc5.com.al. (30)
> 22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz.
> (26)
> 22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS?
> 33q5p.com.al. (30)
> 22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS?
> 33qbq.com.al. (30)
> 10 packets captured
> 124 packets received by filter
> 0 packets dropped by kernel
>
> inetnum:193.235.141.0 - 193.235.141.255
> netname:domaincrawler-hosting
> descr:  domaincrawler hosting
> org:ORG-ABUS1196-RIPE
> country:SE
> admin-c:VIJE1-RIPE
> tech-c: VIJE1-RIPE
> status: ASSIGNED PA
> notify: c+1...@resilans.se
> mnt-by: RESILANS-MNT
> mnt-routes: ETTNET-LIR
> created:2008-04-03T11:21:00Z
> last-modified:  2017-04-10T12:47:06Z
> source: RIPE
>
> randy
>

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

Re: swedish dns zone enumerator

9 matches

Site Navigation

Mail list logo

Footer information