In message <500ed56f.1080...@gmail.com>, Daniel Migault writes: > Actually we detected these ripe.net ANY requests by observing an > increase in TCP DNS requests due to large DNSSEC responses. IP address > does not seem spoofed. It seems these (very few) client wait 10 sec > before closing their TCP connection, which increases the platform load. > We think it is a malware, but feel free to provide more information on > that topic. > > BR > Daniel
If it is TCP then it would be "ripe.net IN ANY +ETD" being logged as the query log records whether it is TCP or not. The original poster is getting UDP queries. If you are getting lots of TCP queries then you should be addressing the source directly and getting that fixed. > On 07/24/2012 05:22 PM, Stephane Bortzmeyer wrote: > > On Mon, Jul 23, 2012 at 04:49:24PM +0200, > > Stephane Bortzmeyer <bortzme...@nic.fr> wrote > > a message of 15 lines which said: > > > >> Buggy. It parses the DNS packet from the end and therefore fails > >> with EDNS packets (which have the OPT resource record at the end). > > After checking, I stand corrected. This is not the original xt_dns > > (which is buggy) but a fork which fixes the parsing. Sorry for the > > false alarm. > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri > be from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
