FW: Preventing a particular type of nameserver abuse

Richard T.A. Neal richard at richardneal.com
Wed Apr 14 08:07:15 UTC 2021

Paul Kosinksi wrote:

> Interesting observation. I just did lookups on 4 recent (< 24 hrs ago) 'sl/ANY/IN' queries logged by our BIND and got:
> ...1 OVH Hosting IP (Montreal)
> The whois info for the OVH IP contains the line:
>  Comment:   Failover IPs

Just out of interest, because I run some services on OVH, I know what that term means. When you rent a dedicated server from OVH you are assigned a single IPv4 address. Let's assume that you then want to use VMware or Hyper-V on that dedicated server to run some VMs - for many of those VMs you'll obviously want a distinct public IPv4 address. So OVH assign you what they term a "failover" block of IPv4 addresses. I don't know why they use that term, I just know that they do! So really it's just confirmation that it's an OVH customer (running a VM on a dedicated server) that is either the source IP or the spoofed target.


More information about the bind-users mailing list