[gentoo-server] Odd / fast DNS requests

public inbox for gentoo-server@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-server] Odd / fast DNS requests
@ 2006-08-20  0:18 fire-eyes
  2006-08-20  0:44 ` Jeroen Geilman
  0 siblings, 1 reply; 3+ messages in thread
From: fire-eyes @ 2006-08-20  0:18 UTC (permalink / raw
  To: gentoo-server

On my small server I am seeing a sudden inrush of requests to named like tihs. 
Of particular intrest is _domainkey. A quick google search didn't really 
explain why I am seeing so much of this, it's been going on almost 
continuously for 20 minutes.

So, anyone recognize this stuff?

Aug 20 00:16:17 fieldy named[7456]: client 62.8.115.206#1221: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:17 fieldy named[7456]: client 62.8.115.206#1221: query: 
fire-eyes.org IN A -E
Aug 20 00:16:17 fieldy named[7456]: client 213.152.131.187#53: query: 
fire-eyes.org IN A -E
Aug 20 00:16:19 fieldy named[7456]: client 61.78.58.150#53: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:19 fieldy named[7456]: client 61.78.58.150#53: query: 
fire-eyes.org IN A -E
Aug 20 00:16:19 fieldy named[7456]: client 62.8.115.206#1221: query: 
_domainkey.fire-eyes.org IN TXT -E
Aug 20 00:16:19 fieldy named[7456]: client 62.8.115.206#1221: query: 
_policy._domainkey.fire-eyes.org IN TXT -E
Aug 20 00:16:23 fieldy named[7456]: client 66.241.137.7#1430: query: 
fire-eyes.org IN A -E
Aug 20 00:16:23 fieldy named[7456]: client 200.69.32.5#34717: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:23 fieldy named[7456]: client 200.69.32.5#34717: query: 
fire-eyes.org IN A -E
Aug 20 00:16:24 fieldy named[7456]: client 67.99.202.22#32818: query: 
fire-eyes.org IN A -E
Aug 20 00:16:27 fieldy named[7456]: client 196.36.119.67#51984: query: 
_domainkey.fire-eyes.org IN TXT -E
Aug 20 00:16:27 fieldy named[7456]: client 130.149.4.20#58689: query: 
fire-eyes.org IN A -
Aug 20 00:16:27 fieldy named[7456]: client 85.112.164.201#42482: query: 
fire-eyes.org IN A -
Aug 20 00:16:27 fieldy named[7456]: client 209.163.147.22#1024: query: 
fire-eyes.org IN A -E
Aug 20 00:16:27 fieldy named[7456]: client 209.163.147.22#1024: query: 
_domainkey.fire-eyes.org IN TXT -E
Aug 20 00:16:27 fieldy named[7456]: client 132.170.240.15#58229: query: 
fire-eyes.org IN A -E
Aug 20 00:16:27 fieldy named[7456]: client 202.56.128.30#35635: query: 
fire-eyes.org IN A -E
Aug 20 00:16:29 fieldy named[7456]: client 216.16.235.5#1024: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:29 fieldy named[7456]: client 216.16.235.5#1024: query: 
fire-eyes.org IN A -E
Aug 20 00:16:30 fieldy named[7456]: client 65.54.237.136#1047: query: 
fire-eyes.org IN TXT -
Aug 20 00:16:30 fieldy named[7456]: client 195.220.59.2#32835: query: 
fire-eyes.org IN A -E
Aug 20 00:16:31 fieldy named[7456]: client 193.136.128.1#32769: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:31 fieldy named[7456]: client 193.136.128.1#32769: query: 
fire-eyes.org IN A -E
Aug 20 00:16:32 fieldy named[7456]: client 196.26.52.130#56234: query: 
fire-eyes.org IN AAAA -
Aug 20 00:16:32 fieldy named[7456]: client 196.26.52.130#56234: query: 
fire-eyes.org IN A -
Aug 20 00:16:32 fieldy named[7456]: client 207.98.65.2#33141: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:32 fieldy named[7456]: client 207.98.65.2#33141: query: 
fire-eyes.org IN A -E
Aug 20 00:16:32 fieldy named[7456]: client 168.95.192.211#32778: query: 
fire-eyes.org IN A -
Aug 20 00:16:32 fieldy named[7456]: client 195.220.59.2#32835: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:33 fieldy named[7456]: client 194.236.124.34#3223: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:33 fieldy named[7456]: client 194.236.124.34#3223: query: 
fire-eyes.org IN A -E
Aug 20 00:16:35 fieldy named[7456]: client 213.75.17.70#53: query: 
fire-eyes.org IN A -E
Aug 20 00:16:36 fieldy named[7456]: client 135.245.0.4#33536: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:36 fieldy named[7456]: client 128.103.201.100#53: query: 
fire-eyes.org IN AAAA -E
Aug 20 00:16:36 fieldy named[7456]: client 128.103.201.100#53: query: 
fire-eyes.org IN A -E
Aug 20 00:16:38 fieldy named[7456]: client 135.245.0.4#33536: query: 
fire-eyes.org IN A -E
-- 
99% of politicians make the rest look bad.
-- 
gentoo-server@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-server] Odd / fast DNS requests
  2006-08-20  0:18 [gentoo-server] Odd / fast DNS requests fire-eyes
@ 2006-08-20  0:44 ` Jeroen Geilman
  2006-08-24  1:03   ` [gentoo-server] DomainKeys != SPF Andrew Ross
  0 siblings, 1 reply; 3+ messages in thread
From: Jeroen Geilman @ 2006-08-20  0:44 UTC (permalink / raw
  To: gentoo-server

fire-eyes wrote:
> On my small server I am seeing a sudden inrush of requests to named like tihs. 
> Of particular intrest is _domainkey. A quick google search didn't really 
> explain why I am seeing so much of this, it's been going on almost 
> continuously for 20 minutes.
>
> So, anyone recognize this stuff?
>   
Well, this "stuff", as you call it, is just normal DNS queries - but 
more of them than you usually get, as you noted.
One or two per second is nothing to worry about, and would not be 
considered a DoS attack even if you were on a 56K link...

The _domainkey queries are experimental, or from people who already 
implement SPF and Yahoo's scheme for it.
That was 10 seconds of Google, by the way ;-)

If you really want to know what is happening, you need to log DNS 
requests and replies.
Then you can see what information is exchanged, and lookup where they 
come from.

J

-- 
gentoo-server@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [gentoo-server] DomainKeys != SPF
  2006-08-20  0:44 ` Jeroen Geilman
@ 2006-08-24  1:03   ` Andrew Ross
  0 siblings, 0 replies; 3+ messages in thread
From: Andrew Ross @ 2006-08-24  1:03 UTC (permalink / raw
  To: gentoo-server

[-- Attachment #1: Type: text/plain, Size: 1471 bytes --]

Jeroen Geilman wrote:
> fire-eyes wrote:
>> On my small server I am seeing a sudden inrush of requests to named
>> like tihs. Of particular intrest is _domainkey. A quick google search
>> didn't really explain why I am seeing so much of this, it's been going
>> on almost continuously for 20 minutes.

> The _domainkey queries are experimental, or from people who already
> implement SPF and Yahoo's scheme for it.
> That was 10 seconds of Google, by the way ;-)

SPF (http://www.openspf.org/) and DomainKeys
(http://antispam.yahoo.com/domainkeys) are not the same thing, although
they attempt to address similar problems (albeit in a slightly different
manner).

DomainKeys uses a TXT record named _domainkey , which holds a public
key. The domain's MTA signs outgoing mail with the corresponding private
key, and DomainKey-aware receiving MTAs look up the public key and
verify the signature.

SPF uses a record named after the domain itself, which is in a special
format and specifies which machines (by IP address or domain name) can
send email claiming to be from that domain. The record type can be
either TXT or SPF, but should be both more maximum compatibility.

In their current implementations, SPF protects the enveloper sender
information (which isn't seen by the end-user, unless s/he examines the
header), while DomainKeys protects the From: field.

Visit the above-mentioned URLs for more information.

Cheers

Andrew

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-08-24  1:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-20  0:18 [gentoo-server] Odd / fast DNS requests fire-eyes
2006-08-20  0:44 ` Jeroen Geilman
2006-08-24  1:03   ` [gentoo-server] DomainKeys != SPF Andrew Ross

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox