Persistent DNS Zone Transfer Attempts from IP 128.232.0.31
Greetings, Anyone know anything about IP 128.232.0.31?
# host 128.232.0.31 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk.
We have been getting persistent zone transfer attempts that originate from this IP address. We have had repeated zone transfer attempts against all of our DNS zones -- and against all 7 name servers that we manage. This has been going on now for about a month or two -- more or less. Recently, we have also seen attempts to do zone transfers for non-authoritative domains. Logging shows that this IP apparently never attempts to make legitimate DNS queries, only zone transfers. Anyone know anything about this IP? Anyone else have the appropriate logging enabled and also seeing this IP make zone transfer attempts? Thoughts/comments/suggestions? Thanks! Jon -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
On Sat, 26 Jun 2004 11:19:16 -0400 "Jon R. Kibler" <Jon.Kibler@aset.com> wrote: | Anyone know anything about IP 128.232.0.31? | > # host 128.232.0.31 | > 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. | | We have been getting persistent zone transfer attempts that originate | from this IP address. We have had repeated zone transfer attempts | against all of our DNS zones -- and against all 7 name servers that we | manage. This has been going on now for about a month or two -- more or | less. Recently, we have also seen attempts to do zone transfers for | non-authoritative domains. Logging shows that this IP apparently never | attempts to make legitimate DNS queries, only zone transfers. | | Anyone know anything about this IP? | | Anyone else have the appropriate logging enabled and also seeing this | IP make zone transfer attempts? | | Thoughts/comments/suggestions? If you go to http://dns-probe.srg.cl.cam.ac.uk you will see that this activity is part of a well-documented research project at Cambridge University in the UK, which has a widely-respected computer laboratory. I have, out of courtesy, forwarded your concerns to appropriate people there but would assure everybody that this activity is entirely benign! -- Richard Cox
On Sat, 26 Jun 2004, Jon R. Kibler wrote:
Greetings,
Anyone know anything about IP 128.232.0.31?
# host 128.232.0.31 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk.
We have been getting persistent zone transfer attempts that originate from this IP address. We have had repeated zone transfer attempts
http://www.justfuckinggoogleit.com/ A search for: 128.232.0.31 axfr brings up the one and only relevant hit. Too bad the IP isn't a "word" or this would be a googlewhack. If you really are seeing persistent requests from them (they say you shouldn't) then you ought to contact them, provide logs, and show them that their probe may be malfunctioning. Our probe is very polite - if it has been turned away by a server, it will not normally contact that server again. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sat, 26 Jun 2004 11:19:16 -0400, "Jon R. Kibler" <Jon.Kibler@aset.com> said: Greetings,
Anyone know anything about IP 128.232.0.31? # host 128.232.0.31 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. [...] Anyone know anything about this IP?
Keep going, they make it pretty easy to figure out what is going on:
dig txt dns-probe.srg.cl.cam.ac.uk
; <<>> DiG 8.3 <<>> txt dns-probe.srg.cl.cam.ac.uk ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; dns-probe.srg.cl.cam.ac.uk, type = TXT, class = IN ;; ANSWER SECTION: dns-probe.srg.cl.cam.ac.uk. 6H IN TXT "pseudo IP address for machine doing research into DNS data" dns-probe.srg.cl.cam.ac.uk. 6H IN TXT "See http://www.cl.cam.ac.uk/Research/SRG/netos/adam/traffic.html for details" ;; Total query time: 1134 msec ;; FROM: mighty.grot.org to SERVER: default -- 127.0.0.1 ;; WHEN: Mon Jun 28 13:42:19 2004 ;; MSG SIZE sent: 44 rcvd: 204
participants (4)
-
Aditya -
Jon Lewis -
Jon R. Kibler -
Richard Cox