isc and other hosts connecting to my NS

Tue Oct 7 16:51:41 UTC 2008

Maybe he's testing it.  Considering who his clients are it most likely the
isc is digging for information. And you not alone.  I have seen from time to
time scans from Vixieland on all sorts of ranges so It would not surprise me
if Vixieland scans all IP ranges.
cheers
joe baptista

On Tue, Oct 7, 2008 at 3:02 AM, Scott Haneda <talklists at newgeo.com> wrote:

> Hello, I brought online a new NS, one in which the IP has not been
> used before, at least, not for a NS.  Maybe, many years ago, it was
> used as a http server.
>
> I see a few queries come into my named logs that are clearly
> vulnerability scans, which while I do not like them, at least I
> understand why they are there.
>
> Curious are below:
> 06-Oct-2008 09:09:27.942 queries: info: client 149.20.56.10#20053:
> query: www.orkut.co.in IN ANY -
> 06-Oct-2008 09:01:01.025 queries: info: client 149.20.56.10#20053:
> query: www.capitalone.com IN ANY
>
> dig result
> 56.20.149.in-addr.arpa. 3600    IN      SOA     ns-int.isc.org.
> hostmaster.isc.org. 2008100500 7200 3600 604800 3600
>
> Why does isc.org query my server?  It is a non recursive server, and
> only does lookups for my local machines, and of course, authoritative
> lookups for the few domains I am hasting.  I allow recursion on one
> IP, mine at home on a comcast connection.
>
> There are others, not isc.org based, but most of them are, calling out
> myspace, facebook, and perhaps the most frightening one was
> cakefarts.com (NSFW)
>
> Any help understanding what is going on would be most appreciated,
> thanks.
> --
> Scott
>
>
>

-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084