nanog mailing list archives

Re: swedish dns zone enumerator

From: Amir Herzberg <amir.lists () gmail com>
Date: Wed, 1 Nov 2023 17:43:05 -0400

Randy, thanks for sharing, I didn't know this is actually done. Any idea if
they use something clever or just exhaustive search? thanks Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
https://sites.google.com/site/amirherzberg/cybersecurity




On Tue, Oct 31, 2023 at 6:49 PM Randy Bush <randy () psg com> wrote:

i have blocked a zone enumerator, though i guess they will be a
whack-a-mole

others have reported them as well

/home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:42:39.516849 IP 193.235.141.90.32768 > 666.42.7.11.53: 14 NS?
33j4h.org.al. (30)
22:42:39.517640 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS?
33m6d.xn--mgbayh7gpa. (38)
22:42:39.519169 IP 193.235.141.17.32768 > 666.42.7.11.53: 14 NS? 33lxd.tn.
(26)
22:42:39.520064 IP 193.235.141.171.32768 > 666.42.7.11.53: 14 NS? 33md6.jo.
(26)
22:42:39.521081 IP 193.235.141.247.32768 > 666.42.7.11.53: 14 NS? 33lxd.lb.
(26)
22:42:39.523981 IP 193.235.141.162.32768 > 666.42.7.11.53: 14 NS? 33pd2.az.
(26)
22:42:39.525043 IP 193.235.141.60.32768 > 666.42.7.11.53: 14 NS?
33nc5.com.al. (30)
22:42:39.526185 IP 193.235.141.209.32768 > 666.42.7.11.53: 14 NS? 33nc5.sz.
(26)
22:42:39.527931 IP 193.235.141.150.32768 > 666.42.7.11.53: 14 NS?
33q5p.com.al. (30)
22:42:39.529516 IP 193.235.141.210.32768 > 666.42.7.11.53: 14 NS?
33qbq.com.al. (30)
10 packets captured
124 packets received by filter
0 packets dropped by kernel

inetnum:        193.235.141.0 - 193.235.141.255
netname:        domaincrawler-hosting
descr:          domaincrawler hosting
org:            ORG-ABUS1196-RIPE
country:        SE
admin-c:        VIJE1-RIPE
tech-c:         VIJE1-RIPE
status:         ASSIGNED PA
notify:         c+1196 () resilans se
mnt-by:         RESILANS-MNT
mnt-routes:     ETTNET-LIR
created:        2008-04-03T11:21:00Z
last-modified:  2017-04-10T12:47:06Z
source:         RIPE

randy

Current thread:

Re: swedish dns zone enumerator Amir Herzberg (Nov 01)
- <Possible follow-ups>
- Re: swedish dns zone enumerator Mark Andrews (Nov 01)
  - Re: swedish dns zone enumerator Randy Bush (Nov 01)
    - Re: swedish dns zone enumerator Mark Andrews (Nov 02)
    - Re: swedish dns zone enumerator Saku Ytti (Nov 02)
    - Re: swedish dns zone enumerator Randy Bush (Nov 02)
    - Re: swedish dns zone enumerator John McCormac (Nov 02)
  - Re: swedish dns zone enumerator Stephane Bortzmeyer (Nov 02)
    - Re: swedish dns zone enumerator Mark Andrews (Nov 02)