lot of 'ripe.net IN ANY +ED' queries
marka at isc.org
Wed Jul 25 00:43:38 UTC 2012
In message <500ED56F.1080407 at gmail.com>, Daniel Migault writes:
> Actually we detected these ripe.net ANY requests by observing an
> increase in TCP DNS requests due to large DNSSEC responses. IP address
> does not seem spoofed. It seems these (very few) client wait 10 sec
> before closing their TCP connection, which increases the platform load.
> We think it is a malware, but feel free to provide more information on
> that topic.
If it is TCP then it would be "ripe.net IN ANY +ETD" being logged
as the query log records whether it is TCP or not. The original
poster is getting UDP queries.
If you are getting lots of TCP queries then you should be addressing
the source directly and getting that fixed.
> On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote:
> > On Mon, Jul 23, 2012 at 04:49:24PM +0200,
> > Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
> > a message of 15 lines which said:
> >> Buggy. It parses the DNS packet from the end and therefore fails
> >> with EDNS packets (which have the OPT resource record at the end).
> > After checking, I stand corrected. This is not the original xt_dns
> > (which is buggy) but a fork which fixes the parsing. Sorry for the
> > false alarm.
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users