Re: swedish dns zone enumerator

[Mark Andrews <marka () isc org>]

While I see evidence for the claim, 5 character left hand label and all non-existant.
I also see QNAME minimisation in action as the QTYPE is NS.  This could just be a open
recursive servers using QNAME minimisation.  With QNAME minimisation working correctly
all parent zones should see is NS queries with the occasional DNSKEY and DS query.  Both
BIND and Knot use NS queries for QNAME minimisation.  Other query types and/or prefixes
do not work as they have undesirable side effects.

I would not like anyone to take seeing mostly NS queries as any evidence of bad practice.
On the contrary, this is best practice.  It’s just relatively new.

I would also like to remind everyone here that QNAME minimisation using NS queries will
expose the bad practice of having mis-matching NS RRsets above and below the zone cut and
having garbage NS RRsets in the child zone when both parent and child are served by the same
servers.  Please ensure your NS RRsets are consistent on both sides of the zone cut and that
they are sane.

Mark


> On 1 Nov 2023, at 09:46, Randy Bush <randy () psg com> wrote:
>
> i have blocked a zone enumerator, though i guess they will be a
> whack-a-mole
>
> others have reported them as well
>
> /home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS? 33j4h.org.al. (30)
> 22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33m6d.xn--mgbayh7gpa. (38)
> 22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn. (26)
> 22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo. (26)
> 22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb. (26)
> 22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az. (26)
> 22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS? 33nc5.com.al. (30)
> 22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz. (26)
> 22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS? 33q5p.com.al. (30)
> 22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS? 33qbq.com.al. (30)
> 10 packets captured
> 124 packets received by filter
> 0 packets dropped by kernel
>
> inetnum:        193.235.141.0 - 193.235.141.255
> netname:        domaincrawler-hosting
> descr:          domaincrawler hosting
> org:            ORG-ABUS1196-RIPE
> country:        SE
> admin-c:        VIJE1-RIPE
> tech-c:         VIJE1-RIPE
> status:         ASSIGNED PA
> notify:         c+1196 () resilans se
> mnt-by:         RESILANS-MNT
> mnt-routes:     ETTNET-LIR
> created:        2008-04-03T11:21:00Z
> last-modified:  2017-04-10T12:47:06Z
> source:         RIPE
>
> randy

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org