nanog mailing list archives
Re: swedish dns zone enumerator
From: Mark Andrews <marka () isc org>
Date: Thu, 2 Nov 2023 16:09:24 +1100
While I see evidence for the claim, 5 character left hand label and all non-existant. I also see QNAME minimisation in action as the QTYPE is NS. This could just be a open recursive servers using QNAME minimisation. With QNAME minimisation working correctly all parent zones should see is NS queries with the occasional DNSKEY and DS query. Both BIND and Knot use NS queries for QNAME minimisation. Other query types and/or prefixes do not work as they have undesirable side effects. I would not like anyone to take seeing mostly NS queries as any evidence of bad practice. On the contrary, this is best practice. It’s just relatively new. I would also like to remind everyone here that QNAME minimisation using NS queries will expose the bad practice of having mis-matching NS RRsets above and below the zone cut and having garbage NS RRsets in the child zone when both parent and child are served by the same servers. Please ensure your NS RRsets are consistent on both sides of the zone cut and that they are sane. Mark
On 1 Nov 2023, at 09:46, Randy Bush <randy () psg com> wrote: i have blocked a zone enumerator, though i guess they will be a whack-a-mole others have reported them as well /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes 22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 33j4h.org.al. (30) 22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33m6d.xn--mgbayh7gpa. (38) 22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn. (26) 22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo. (26) 22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb. (26) 22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az. (26) 22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? 33nc5.com.al. (30) 22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz. (26) 22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS? 33q5p.com.al. (30) 22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS? 33qbq.com.al. (30) 10 packets captured 124 packets received by filter 0 packets dropped by kernel inetnum: 193.235.141.0 - 193.235.141.255 netname: domaincrawler-hosting descr: domaincrawler hosting org: ORG-ABUS1196-RIPE country: SE admin-c: VIJE1-RIPE tech-c: VIJE1-RIPE status: ASSIGNED PA notify: c+1196 () resilans se mnt-by: RESILANS-MNT mnt-routes: ETTNET-LIR created: 2008-04-03T11:21:00Z last-modified: 2017-04-10T12:47:06Z source: RIPE randy
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: swedish dns zone enumerator Amir Herzberg (Nov 01)
- <Possible follow-ups>
- Re: swedish dns zone enumerator Mark Andrews (Nov 01)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)
- Re: swedish dns zone enumerator Saku Ytti (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 02)
- Re: swedish dns zone enumerator Randy Bush (Nov 01)
- Re: swedish dns zone enumerator John McCormac (Nov 02)
- Re: swedish dns zone enumerator Stephane Bortzmeyer (Nov 02)
- Re: swedish dns zone enumerator Mark Andrews (Nov 02)