On Thu, 2 Nov 2023 at 10:32, Mark Andrews <marka@isc.org> wrote:
You missed the point I was trying to make. While I think that that source is trying to enumerate some part of the namespace. NS queries by themselves don’t indicate an attack. Others would probably see the series of NS queries as a signature of an attack when they are NOT. There needs to be much more than that to make that conclusion.
I might be reading this wrong, but I don't think the point Randy was trying to make was 'NS queries are an attack', 'UDP packets are an attack' or 'IP packets are an attack' . I base this on the list of queries Randy decided to include as relevant to the thesis Randy was trying to make, instead of wholesale warning of IP, UDP or NS queries. -- ++ytti