Re: swedish dns zone enumerator

[Mark Andrews]

> On 2 Nov 2023, at 20:25, Stephane Bortzmeyer  wrote:
> 
> On Thu, Nov 02, 2023 at 04:09:24PM +1100,
> Mark Andrews  wrote 
> a message of 90 lines which said:
> 
>> I also see QNAME minimisation in action as the QTYPE is NS.  This
>> could just be a open recursive servers using QNAME minimisation.
>> With QNAME minimisation working correctly all parent zones should
>> see is NS queries with the occasional DNSKEY and DS query.  Both
>> BIND and Knot use NS queries for QNAME minimisation.
> 
> I disagree. NS queries were used in the first RFC about QNAME
> minimisation (which was experimental) but the current one (which is on
> the standards track) now recommends A or  queries
> , specially section 2.1.

The QTYPE selection is always a matter of trade offs.  NS is still
perfectly fine and it is the ONLY type that actually works in a number
of scenarios.  Additionally the number of servers that don’t respond
to NS queries is remarkably small and decreasing.  More of an issue
is garbage NS RRsets below the zone cut.  A queries work well when there
is a zone cut at each label.  They don’t work well when there isn’t
a zone cut.  You get back nothing to say that there isn’t a zone cut
which leaves you needing to do the discovery on the next query to the
zone, and the next query to the zone, etc.  This leads to complaints
that you aren’t caching A (or whatever type you chose) queries. 

>> Other query types and/or prefixes do not work as they have
>> undesirable side effects.
> 
> Rather the contrary, some broken firewalls in front of authoritative
> name servers were crashing when using NS queries. Hence the choice of
> address queries. (Also, it improves privacy since it makes more
> difficult to see you are doing QNAME minimisation.)

Hiding that you are doing QNAME minimisation is a non issue. As for
firewalls crashing.  The more they crash the sooner they get fixed,
it’s been years now.  

>> I would not like anyone to take seeing mostly NS queries as any
>> evidence of bad practice.
> 
> We agree here.
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: .US Harbors Prolific Malicious Link Shortening Service

[Eric Kuhnke]

Not specific to .US really

Pretty much every new gTLD that can be registered on "promotional" first
year prices below .com/.net/.org harbors a large than usual proportion of
phishing domains and suspicious things, because one of the sole operational
criteria for phishers registering disposable domains that might have useful
lives of only hours or a few days, in bulk, is the cost per unit.


".us" is in much the same situation because I am seeing promotional prices
of $4.50 to $5 per domain for the first year.





On Thu, Nov 2, 2023 at 1:31 PM goemon--- via NANOG  wrote:

>
> https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
>
> "The NTIA recently published a proposal that would allow registrars to
> redact all registrant data from WHOIS registration records for .US
> domains. A broad array of industry groups have filed comments opposing the
> proposed changes, saying they threaten to remove the last vestiges of
> accountability for a top-level domain that is already overrun with
> cybercrime activity."
>
> What hope is there when registrars are actively aiding and abeting
> criminal enterprises?
>
> Are there any legitimate services running solely on .us domain names?
>
> -Dan
>

Re: .US Harbors Prolific Malicious Link Shortening Service

[bzs]

On November 2, 2023 at 22:09 al...@allan.vin (Allan Liska) wrote:
 > I think it is a matter of proportionality. 
 > 
 > According to Spamhaus malicious domains account for only 1.5% of all .com 
 > domains, but 4.8% of all .us domains 
 > (https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% 
 > of all domains are malicious. 

And the bit.ly shortening service is operated under the Libyan ccTLD.

Also frequently used in spam email etc.

Libya doesn't even have a generally recognized government. Or perhaps
put better has more than one competing governments.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: .US Harbors Prolific Malicious Link Shortening Service

[William Herrin]

On Thu, Nov 2, 2023 at 3:10 PM Allan Liska  wrote:
> According to Spamhaus malicious domains account for only 1.5% of all .com 
> domains, but 4.8% of all .us domains 
> (https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% 
> of all domains are malicious.

Hi Allan,

Careful. Statistics don't mean much when separated from their context.
Spamhaus doesn't appear to have published the raw numbers for anything
except the "top ten."

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: .US Harbors Prolific Malicious Link Shortening Service

[Rubens Kuhl]

On Thu, Nov 2, 2023 at 5:46 PM William Herrin  wrote:
>
> On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG  wrote:
> > https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
> >
> > What hope is there when registrars are actively aiding and abeting criminal 
> > enterprises?
>
> I'm confused. Does .com/.net/.org have a different/better
> vulnerability profile to these third party link shorteners?

This is likely related to NTIA ongoing consultation on redacting .us
WHOIS. Everytime such a movement happens, a number of reports showing
the world will end because of that appear.

Rubens

Re: .US Harbors Prolific Malicious Link Shortening Service

[Allan Liska]

I think it is a matter of proportionality. 

According to Spamhaus malicious domains account for only 1.5% of all .com 
domains, but 4.8% of all .us domains 
(https://www.spamhaus.org/statistics/tlds/) - compare that to .tk where 6.7% of 
all domains are malicious. 


allan




--- Original Message ---
On Thursday, November 2nd, 2023 at 4:46 PM, William Herrin  
wrote:


> 
> 
> On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG nanog@nanog.org wrote:
> 
> > https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
> > 
> > What hope is there when registrars are actively aiding and abeting criminal 
> > enterprises?
> 
> 
> I'm confused. Does .com/.net/.org have a different/better
> vulnerability profile to these third party link shorteners?
> 
> Regards,
> Bill Herrin
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Network Solutions NOC Contact

[Shahid Shafi]

Hi All,

Can anyone from Network Solutions NOC or ops reach out to me asap? We are
dealing with a business critical issue and need your help urgently. The
issue is related to DNS propagation.

thanks
Shahid

Re: .US Harbors Prolific Malicious Link Shortening Service

[Richard Holbo]

There are LOTS of small business that have .us domains.  I've got several
that just use these domains as well as locality specific things such as
schools or towns that use them rather than the longer ones supplied to
municipal entities.

/rh

On Thu, Nov 2, 2023 at 1:34 PM goemon--- via NANOG  wrote:

>
> https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
>
> "The NTIA recently published a proposal that would allow registrars to
> redact all registrant data from WHOIS registration records for .US
> domains. A broad array of industry groups have filed comments opposing the
> proposed changes, saying they threaten to remove the last vestiges of
> accountability for a top-level domain that is already overrun with
> cybercrime activity."
>
> What hope is there when registrars are actively aiding and abeting
> criminal enterprises?
>
> Are there any legitimate services running solely on .us domain names?
>
> -Dan
>

Re: .US Harbors Prolific Malicious Link Shortening Service

[William Herrin]

On Thu, Nov 2, 2023 at 1:30 PM goemon--- via NANOG  wrote:
> https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
>
> What hope is there when registrars are actively aiding and abeting criminal 
> enterprises?

I'm confused. Does .com/.net/.org have a different/better
vulnerability profile to these third party link shorteners?

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

RE: .US Harbors Prolific Malicious Link Shortening Service

[Shawn L via NANOG]

I personally own a .us domain name -- while it's a personal domain and doesn't 
do a lot of traffic, it's still a legitimate domain.


-Original Message-
From: "goemon--- via NANOG" 
Sent: Thursday, November 2, 2023 4:30pm
To: "NANOG list" 
Subject: .US Harbors Prolific Malicious Link Shortening Service



https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/

"The NTIA recently published a proposal that would allow registrars to 
redact all registrant data from WHOIS registration records for .US 
domains. A broad array of industry groups have filed comments opposing the 
proposed changes, saying they threaten to remove the last vestiges of 
accountability for a top-level domain that is already overrun with 
cybercrime activity."

What hope is there when registrars are actively aiding and abeting criminal 
enterprises?

Are there any legitimate services running solely on .us domain names?

-Dan

.US Harbors Prolific Malicious Link Shortening Service

[goemon--- via NANOG]

https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/

"The NTIA recently published a proposal that would allow registrars to 
redact all registrant data from WHOIS registration records for .US 
domains. A broad array of industry groups have filed comments opposing the 
proposed changes, saying they threaten to remove the last vestiges of 
accountability for a top-level domain that is already overrun with 
cybercrime activity."


What hope is there when registrars are actively aiding and abeting criminal 
enterprises?

Are there any legitimate services running solely on .us domain names?

-Dan

Re: swedish dns zone enumerator

[John McCormac]

On 02/11/2023 05:15, Randy Bush wrote:

ya, right,  and at a whole bunch of other cctld servers

from a network called domaincrawler-hosting

It looks like a list based attempt to discover domain names registered 
in some small ccTLDs. The problem with some of the queries is that a few 
of the second level subdomains of those ccTLDs have just hundreds of 
registrations. Not sure if it is an DNSSEC based attack.


Unlike the gTLDs, available via the ICANN CZDS, most ccTLDs don't 
provide access to their zone files. Some of the queries are odd because 
it seems to be applying lists from Swedish or German language sources to 
small ccTLDs where the main languages of the countries are not Swedish 
or German. Some of those domain name strings don't exist in the gTLDs. A 
few of the examples don't exist in the .SE or .DE ccTLDs either.


The ccTLDs become more "unique" when the main language of their country 
is not English. As a ccTLD's market evolves, registrants will often 
decide to only register in their ccTLD rather than in .COM or other 
gTLDs. The percentage of these unique registrations, as opposed to 
registrations having an equivalent in the gTLDs, can be upwards of 15%. 
The percentage is also affected by economic conditions in the ccTLD's 
market and the price of a ccTLD registration compared to a .COM 
registration. The problems for a list based dns enumeration on these 
small ccTLDs are that there is a lot of them and they are small.


It might be an idea to contact Domaincrawler(.)com and ask what it is 
doing.


Regards...jmcc
--
**
John McCormac  *  e-mail: j...@hosterstats.com
MC2*  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford  *  Domnomics - the business of domain names
Ireland*  https://amzn.to/2OPtEIO
IE *  Skype: hosterstats.com
**


--
This email has been checked for viruses by Avast antivirus software.
www.avast.com

Congrats Board Members! Exploring N89 w/ Kentik’s Justin Ryburn + Playlist on YouTube

[Nanog News]

*C**ongratulations Board Members! *

 Congratulations Cat Gurinsky + Vincent Celindro, for being elected to the
NANOG Board of Directors! We are grateful for your service and look forward
to your upcoming term.

 *NANOG 89 Playlist is on YouTube! *

Have you subscribed to our YouTube channel? Watch all N89 presentations on
our "NANOG 89 Playlist."

 *WATCH NOW*
https://m.youtube.com/watch?v=BdnVdJ8_gK8=PLO8DR5ZGla8g_
8k95Rjhgf2Jx2touuPJ4

 *NANOG 90 Meeting Host: We Want You!*
* Invest in the Strength of the Community We Have Built*

NANOG is, and always has been, dedicated to the people who make up our
community. Our in-person conferences draw up to 1,500 individuals in
multiple facets of network engineering, operations, and architecture, who
gather with us in major cities across North America.

 Our next meeting will take place in Charlotte, NC 12-14, February, 2024.
Your organization will receive top branding above all other sponsors.

 Contact Shawn Winstead swinst...@nanog.org for more details.

*Guest Blog: Exploring NANOG's Most Recent Meeting *
*Deep Dive into N89 San Diego w/ Kentik's Justin Ryburn *

*“As the networking landscape evolves, events like NANOG 89 are pivotal in
fostering collaboration, knowledge sharing, and innovation."*

 Check out Ryburn's highlights and thoughts on attending N89.

*READ MORE *
https://nanog.org/stories/articles/exploring-nanog-89/

[NANOG-announce] Congrats Board Members! Exploring N89 w/ Kentik’s Justin Ryburn + Playlist on YouTube

[Nanog News]

*C**ongratulations Board Members! *

 Congratulations Cat Gurinsky + Vincent Celindro, for being elected to the
NANOG Board of Directors! We are grateful for your service and look forward
to your upcoming term.

 *NANOG 89 Playlist is on YouTube! *

Have you subscribed to our YouTube channel? Watch all N89 presentations on
our "NANOG 89 Playlist."

 *WATCH NOW*
https://m.youtube.com/watch?v=BdnVdJ8_gK8=PLO8DR5ZGla8g_
8k95Rjhgf2Jx2touuPJ4

 *NANOG 90 Meeting Host: We Want You!*
* Invest in the Strength of the Community We Have Built*

NANOG is, and always has been, dedicated to the people who make up our
community. Our in-person conferences draw up to 1,500 individuals in
multiple facets of network engineering, operations, and architecture, who
gather with us in major cities across North America.

 Our next meeting will take place in Charlotte, NC 12-14, February, 2024.
Your organization will receive top branding above all other sponsors.

 Contact Shawn Winstead swinst...@nanog.org for more details.

*Guest Blog: Exploring NANOG's Most Recent Meeting *
*Deep Dive into N89 San Diego w/ Kentik's Justin Ryburn *

*“As the networking landscape evolves, events like NANOG 89 are pivotal in
fostering collaboration, knowledge sharing, and innovation."*

 Check out Ryburn's highlights and thoughts on attending N89.

*READ MORE *
https://nanog.org/stories/articles/exploring-nanog-89/
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: swedish dns zone enumerator

[Randy Bush]

> I might be reading this wrong, but I don't think the point Randy was
> trying to make was 'NS queries are an attack', 'UDP packets are an
> attack' or 'IP packets are an attack' . I base this on the list of
> queries Randy decided to include as relevant to the thesis Randy was
> trying to make, instead of wholesale warning of IP, UDP or NS queries.

i was warning of an ndrek3 enumeration attack from the source netblock's
ip space

i am far from an expert in ndrek3 enumeration.  but i naïvely assume
that most tld rrs are ns so that is what they're after.  but, as you
say, that is beside the point.

randy

Re: OSP Management

[Josh Luthman]

3GIS here

On Tue, Oct 31, 2023 at 11:33 AM Stonebraker, Jack J 
wrote:

> 3GIS here.  Great product.
>
> *JJ Stonebraker*  |  Associate Director
> The University of Texas System | Office of Telecommunication Services
> *(512) 232-0888*  | j...@ots.utsystem.edu
>
>
> --
> *From:* NANOG  on behalf of
> Tim Burke 
> *Sent:* Tuesday, October 31, 2023 10:26 AM
> *To:* Mike Hammett ; michael.bro...@adams12.org <
> michael.bro...@adams12.org>
> *Cc:* NANOG 
> *Subject:* Re: OSP Management
>
> We're on OSPInsight here. Don't have much exposure to it, but it seems to
> do the trick well.
> --
> *From:* NANOG  on behalf of michael
> brooks - ESC 
> *Sent:* Tuesday, October 31, 2023 8:26 AM
> *To:* Mike Hammett 
> *Cc:* NANOG 
> *Subject:* OSP Management
>
> On that note, what do you all use for managing OSP? We have been
> attempting to stand up PatchManager for quite some time, and find it a good
> product, but the billions of options can be overwhelming
>
>
>
>
> michael brooks
> Sr. Network Engineer
> Adams 12 Five Star Schools
> michael.bro...@adams12.org
> 
> "flying is learning how to throw yourself at the ground and miss"
>
>
>
> On Fri, Oct 27, 2023 at 5:54 AM Mike Hammett  wrote:
>
>  Always fun managing OSP.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
>
> Midwest-IX
> http://www.midwest-ix.com
> 
>
>
> This is a staff email account managed by Adams 12 Five Star Schools.  This
> email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender.
>

Re: OSP Management

[Carl Lindahl]

3Gis is great. We are switching to Crescent link which seems to be lacking
the feature diversity and granularity of 3GIS.

On Tue, Oct 31, 2023 at 11:35 AM Stonebraker, Jack J 
wrote:

> 3GIS here.  Great product.
>
> *JJ Stonebraker*  |  Associate Director
> The University of Texas System | Office of Telecommunication Services
> *(512) 232-0888*  | j...@ots.utsystem.edu
>
>
> --
> *From:* NANOG  on behalf of
> Tim Burke 
> *Sent:* Tuesday, October 31, 2023 10:26 AM
> *To:* Mike Hammett ; michael.bro...@adams12.org <
> michael.bro...@adams12.org>
> *Cc:* NANOG 
> *Subject:* Re: OSP Management
>
> We're on OSPInsight here. Don't have much exposure to it, but it seems to
> do the trick well.
> --
> *From:* NANOG  on behalf of michael
> brooks - ESC 
> *Sent:* Tuesday, October 31, 2023 8:26 AM
> *To:* Mike Hammett 
> *Cc:* NANOG 
> *Subject:* OSP Management
>
> On that note, what do you all use for managing OSP? We have been
> attempting to stand up PatchManager for quite some time, and find it a good
> product, but the billions of options can be overwhelming
>
>
>
>
> michael brooks
> Sr. Network Engineer
> Adams 12 Five Star Schools
> michael.bro...@adams12.org
> 
> "flying is learning how to throw yourself at the ground and miss"
>
>
>
> On Fri, Oct 27, 2023 at 5:54 AM Mike Hammett  wrote:
>
>  Always fun managing OSP.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> 
>
> Midwest-IX
> http://www.midwest-ix.com
> 
>
>
> This is a staff email account managed by Adams 12 Five Star Schools.  This
> email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the sender.
>


-- 
Carl Lindahl
Network Engineer
MCNC
3021 E. Cornwallis Rd.
Research Triangle Park, NC 27709
(919) 248- Network Operations Center
*** WORKING HOURS M-F 7AM - 4PM ***

Re: swedish dns zone enumerator

[Stephane Bortzmeyer]

On Thu, Nov 02, 2023 at 04:09:24PM +1100,
 Mark Andrews  wrote 
 a message of 90 lines which said:

> I also see QNAME minimisation in action as the QTYPE is NS.  This
> could just be a open recursive servers using QNAME minimisation.
> With QNAME minimisation working correctly all parent zones should
> see is NS queries with the occasional DNSKEY and DS query.  Both
> BIND and Knot use NS queries for QNAME minimisation.

I disagree. NS queries were used in the first RFC about QNAME
minimisation (which was experimental) but the current one (which is on
the standards track) now recommends A or  queries
, specially section 2.1.

> Other query types and/or prefixes do not work as they have
> undesirable side effects.

Rather the contrary, some broken firewalls in front of authoritative
name servers were crashing when using NS queries. Hence the choice of
address queries. (Also, it improves privacy since it makes more
difficult to see you are doing QNAME minimisation.)

> I would not like anyone to take seeing mostly NS queries as any
> evidence of bad practice.

We agree here.

Re: swedish dns zone enumerator

[Saku Ytti]

On Thu, 2 Nov 2023 at 10:32, Mark Andrews  wrote:

> You missed the point I was trying to make.  While I think that that source is 
> trying to enumerate some part of the namespace.  NS queries by themselves 
> don’t indicate an attack. Others would probably see the series of NS queries 
> as a signature of an attack when they are NOT.  There needs to be much more 
> than that to make that conclusion.

I might be reading this wrong, but I don't think the point Randy was
trying to make was 'NS queries are an attack', 'UDP packets are an
attack' or 'IP packets are an attack' . I base this on the list of
queries Randy decided to include as relevant to the thesis Randy was
trying to make, instead of wholesale warning of IP, UDP or NS queries.

-- 
  ++ytti

Re: swedish dns zone enumerator

[Mark Andrews]

You missed the point I was trying to make.  While I think that that source is 
trying to enumerate some part of the namespace.  NS queries by themselves don’t 
indicate an attack. Others would probably see the series of NS queries as a 
signature of an attack when they are NOT.  There needs to be much more than 
that to make that conclusion. 

-- 
Mark Andrews

> On 2 Nov 2023, at 06:15, Randy Bush  wrote:
> 
> ya, right,  and at a whole bunch of other cctld servers
> 
> from a network called domaincrawler-hosting
> 
> shall we smoke another?
> 
> /home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 05:12:30.563268 IP 193.235.141.169.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.com.cu. (33)
> 05:12:30.565017 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? 
> christ-jockel.jo. (34)
> 05:12:30.565660 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.al. (29)
> 05:12:30.566490 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 
> cgatcity.org.al. (33)
> 05:12:30.566694 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
> christian-luber-jr.net.al. (43)
> 05:12:30.569474 IP 193.235.141.239.32768 > 666.42.7.11.53: 14 NS? 
> clearing-muenchen.eg. (38)
> 05:12:30.571870 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> clearing-muenchen.com.ps. (42)
> 05:12:30.573436 IP 193.235.141.23.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.xn--pgbs0dh. (40)
> 05:12:30.573914 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
> club-lederwerk-neustadt.net.al. (48)
> 05:12:30.574608 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.az. (31)
> 05:12:30.575203 IP 193.235.141.183.32768 > 666.42.7.11.53: 14 NS? 
> cofls-welt.lb. (31)
> 05:12:30.575356 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS? conomix.eg. 
> (28)
> 05:12:30.575950 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 
> conomix.net.ps. (32)
> 05:12:30.577242 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 
> computercheck-online.tn. (41)
> 05:12:30.577800 IP 193.235.141.134.32768 > 666.42.7.11.53: 14 NS? conomix.cu. 
> (28)
> 05:12:30.578272 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
> conomix.net.lb. (32)
> 05:12:30.578480 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? 
> cstreibel.lr. (30)
> 05:12:30.578896 IP 193.235.141.114.32768 > 666.42.7.11.53: 14 NS? 
> cstreibel.org.lb. (34)
> 05:12:30.579060 IP 193.235.141.244.32768 > 666.42.7.11.53: 14 NS? 
> cristallcard.az. (33)
> 05:12:30.580681 IP 193.235.141.11.32768 > 666.42.7.11.53: 14 NS? d-cypher.tn. 
> (29)
> 05:12:30.581812 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> d-cypher.al. (29)
> 05:12:30.582157 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.sz. (33)
> 05:12:30.582381 IP 193.235.141.142.32768 > 666.42.7.11.53: 14 NS? 
> d-cypher.eg. (29)
> 05:12:30.583340 IP 193.235.141.125.32768 > 666.42.7.11.53: 14 NS? 
> damensattel-duesseldorf.net.ps. (48)
> 05:12:30.583439 IP 193.235.141.181.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.az. (33)
> 05:12:30.584078 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.mw. (33)
> 05:12:30.584330 IP 193.235.141.160.32768 > 666.42.7.11.53: 14 NS? 
> dailycatesse.org.al. (37)
> 05:12:30.584730 IP 193.235.141.3.32768 > 666.42.7.11.53: 14 NS? 
> darkroom24.net.al. (35)
> 05:12:30.585506 IP 193.235.141.7.32768 > 666.42.7.11.53: 14 NS? 
> damensattel-duesseldorf.jo. (44)
> 05:12:30.585995 IP 193.235.141.127.32768 > 666.42.7.11.53: 14 NS? 
> dassehen.lr. (29)
> 05:12:30.587759 IP 193.235.141.173.32768 > 666.42.7.11.53: 14 NS? 
> darkroom24.tn. (31)
> 05:12:30.588076 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 
> dgurock.org.al. (32)
> 05:12:30.589055 IP 193.235.141.212.32768 > 666.42.7.11.53: 14 NS? dictys.jo. 
> (27)
> 05:12:30.589640 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? dgurock.az. 
> (28)
> 05:12:30.591432 IP 193.235.141.172.32768 > 666.42.7.11.53: 14 NS? 
> dictys.com.ps. (31)
> 05:12:30.592608 IP 193.235.141.213.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.org.al. (36)
> 05:12:30.593365 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 
> diesling-1.net.al. (35)
> 05:12:30.593814 IP 193.235.141.147.32768 > 666.42.7.11.53: 14 NS? 
> diesling-1.ps. (31)
> 05:12:30.595057 IP 193.235.141.240.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.net.al. (36)
> 05:12:30.595722 IP 193.235.141.157.32768 > 666.42.7.11.53: 14 NS? 
> disko-thema.xn--mgbayh7gpa. (44)
> 05:12:30.596496 IP 193.235.141.135.32768 > 666.42.7.11.53: 14 NS? 
> downbeat-band.com.lb. (38)
> 05:12:30.596898 IP 193.235.141.185.32768 > 666.42.7.11.53: 14 NS? 
> dj-hc-team.sz. (31)
> 05:12:30.598077 IP 193.235.141.177.32768 > 666.42.7.11.53: 14 NS? 
> dnd-testdomain.net.al. (39)
> 05:12:30.598203 IP 193.235.141.146.32768 > 666.42.7.11.53: 14 NS? 
> dnd-testdomain.net.ps. (39)
> 05:12:30.598338 IP 193.235.141.215.32768 > 666.42.7.11.53: 14 NS?