Odd log messages from ISC BIND named
Ben Scott
dragonhawk at gmail.com
Tue Feb 3 16:55:22 EST 2009
On Tue, Feb 3, 2009 at 1:11 PM, Mark E. Mallett <mem at mv.mv.com> wrote:
> It's possible that somebody's testing using random query names instead
> of "." -- "." is pretty easy to look for in the logs, but the random
> names are more difficult.
So why not just query for <google.com.> or something else that's
legitimate and quite common? These long domain names are obviously
bogus, so it's almost as easy to filter for them. Just look for any
query which doesn't include a known gTLD or ccTLD.
> Anyway that's just guessing.
Yah, me too in the above. :) It's not like we can see into the
assumed attackers' minds.
-- Ben
More information about the gnhlug-discuss
mailing list