North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DNS deluge for

  • From: Estes, Paul
  • Date: Fri Feb 24 12:27:27 2006

We have recently noticed a deluge of DNS requests for “ANY ANY” records of The requests are coming from thousands of sources, mostly our own customers. There are currently no records for, or even for A google search for comes up with only 2 hits. One is a DNS log showing references to this name. The other one shows that somebody else is seeing the same behavior as we are:


However, this site has the benefit or providing a history that had (a week ago) delegated NS record pointing to At that time,’s nameserver was responding with a TXT record for


It would appear that was the victim of some DNS hijacking. Whatever malware is attempting to lookup this name, however, is doing so at a horrific rate. I have some addresses that have made >250000 requests for this name in a short period of time.


I was thinking that I could simply put an authoritative zone for in our nameservers and return something for the lookups, however based on the writeup on the above mentions blog, I am now not certain this will have any effect. As you’ll note, that individual had only 2 machines hitting his name server, and even though a response was provided to the lookup, the hosts continued to hammer his access link.


When the lookup flood occurs, every host starts at the same time, as can be seen on the graphs of traffic to and load of our nameservers. It’s all or nothing – the flood is either on or off. There’s no background trickle.


Is anybody else seeing these events?