Random nx name queries, anyone see this before?
Dave Sparro
dsparro at gmail.com
Tue Dec 16 16:01:44 UTC 2008
Alan Clegg wrote:
> ponga2112 at gmail.com wrote:
>> I'm seeing name queries from a couple clients on the network that
>> occur around every two minutes - the queries are evidently random and
>> are looking for A IN records of this form, as an example:
>>
>> ungzbvyf.lzghmccim
>>
>> They always look like this, 8 lowercase chars, dot, then 9 lowercase
>> chars - never an FQDN.
>> I can't find what this might be - has anyone seen this before or have
>> any ideas?
>
> I've seen this and told a couple of people, but nobody has really shown
> interest.
>
> In addition to the regular format that you see, I've also picked up a
> pattern when you start seeing the queries from multiple sources...
>
I've seen it as well. The only pattern I've noticed is that the same name
is commonly queried by multiple sources within an about 30-60 second window.
Other than that window, the queries aren't repeated in at least 48 hours.
--
Dave
More information about the bind-users
mailing list