World DNS scan projects

Scan all the DNS servers!


There are multiple DNS World scan project on-going.

These are some that I am seeing:

Open Resolver Project:

OpenResolverProject.org scanning every Sunday.

Request is a A record for a personalised subdomain:

client 204.42.253.2#36482 (xxxxx.openresolverproject.org): IN A +

See: http://openresolverproject.org/

Shadowserver

Shadowserver.org appears every few days in my log. Scanning occurs from the following two IPs:

204.140.31.219
64.236.64.139

Queries:

client 64.236.64.139#54444: query: version.bind CH TXT +
client 64.236.64.139#56412: dnsscan.shadowserver.org IN A +

See: http://dnsscan.shadowserver.org/

Team Cymru

Every now and then I see Team Cymru scans. Super long domain names ending with dnsresearch.cymru.com.

client 38.229.33.47#32347 ....20.t58951.dnsresearch.cymru.com IN A +

http://www.team-cymru.org/Services/Resolvers/

jupitoris.jaist.ac.jp

Two times in two days I observed these guys in my log. Not sure if they are legit. On their page they show a google-groups email that is not working at the moment..

Query:

client 150.65.32.90#54785: query: jupitoris.jaist.ac.jp IN A -

see: http://jupitoris.jaist.ac.jp/

Versignlabs

72.13.58.93 'United States' 'AS26134 VeriSign Infrastructure & Operations' xxxxxxxxxxxx.ortest.verisignlabs.com A


Malicious


The other requests observed are basically all malicious. A large part originates from the Ecatel AS as written about in this blogpost:

 http://dnsamplificationattacks.blogspot.nl/2013/06/ecatel-big-source-of-directedatasia.html


No comments:

Post a Comment