Report of spike in DNS Queries gd21.net
A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.
Here is a snip from logs, slightly edited.
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E
Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E
Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E
Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E
** used with permission **
gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links
Is anyone else seeing this? If so could you report it?
UPDATE:
Starting to look like reflective amplified DOS. If you are seeing this let us know.
leslie-2:~ packetalien$ dig gd21.net txt
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.7.3-P3 <<>> gd21.net txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18617
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;gd21.net. IN TXT
;; ANSWER SECTION:
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.119 ip4:211.236.180.120 ip4:211.236.180.121 ip4:211.236.180.122 ip4:211.236.180.123 ip4:211.236.180.124 ip4:211.236.180.125 ip4:211.236.180.126 ip4:211.236.180.127 ip4:211.236.180.128 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.118 ip4:211.236.180.40 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.9 ip4:211.236.180.10 ip4:211.236.180.11 ip4:211.236.180.12 ip4:211.236.180.13 ip4:211.236.180.14 ip4:211.236.180.15 ip4:211.236.180.16 ip4:211.236.180.17 ip4:211.236.180.18 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.19 ip4:211.236.180.20 ip4:211.236.180.21 ip4:211.236.180.22 ip4:211.236.180.23 ip4:211.236.180.24 ip4:211.236.180.25 ip4:211.236.180.26 ip4:211.236.180.27 ip4:211.236.180.28 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.29 ip4:211.236.180.30 ip4:211.236.180.31 ip4:211.236.180.32 ip4:211.236.180.33 ip4:211.236.180.34 ip4:211.236.180.35 ip4:211.236.180.36 ip4:211.236.180.37 ip4:211.236.180.38 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.39 ip4:211.236.180.40 ip4:211.236.180.41 ip4:211.236.180.42 ip4:211.236.180.43 ip4:211.236.180.44 ip4:211.236.180.45 ip4:211.236.180.46 ip4:211.236.180.47 ip4:211.236.180.48 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.49 ip4:211.236.180.50 ip4:211.236.180.51 ip4:211.236.180.52 ip4:211.236.180.53 ip4:211.236.180.54 ip4:211.236.180.55 ip4:211.236.180.56 ip4:211.236.180.57 ip4:211.236.180.58 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.59 ip4:211.236.180.60 ip4:211.236.180.61 ip4:211.236.180.62 ip4:211.236.180.63 ip4:211.236.180.64 ip4:211.236.180.65 ip4:211.236.180.66 ip4:211.236.180.67 ip4:211.236.180.68 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.69 ip4:211.236.180.70 ip4:211.236.180.71 ip4:211.236.180.72 ip4:211.236.180.73 ip4:211.236.180.74 ip4:211.236.180.75 ip4:211.236.180.76 ip4:211.236.180.77 ip4:211.236.180.78 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.79 ip4:211.236.180.80 ip4:211.236.180.81 ip4:211.236.180.82 ip4:211.236.180.83 ip4:211.236.180.84 ip4:211.236.180.85 ip4:211.236.180.86 ip4:211.236.180.87 ip4:211.236.180.88 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.89 ip4:211.236.180.90 ip4:211.236.180.91 ip4:211.236.180.92 ip4:211.236.180.93 ip4:211.236.180.94 ip4:211.236.180.95 ip4:211.236.180.96 ip4:211.236.180.97 ip4:211.236.180.98 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.99 ip4:211.236.180.100 ip4:211.236.180.101 ip4:211.236.180.102 ip4:211.236.180.103 ip4:211.236.180.104 ip4:211.236.180.105 ip4:211.236.180.106 ip4:211.236.180.107 ip4:211.236.180.108 ~all"
gd21.net. 236 IN TXT "v=spf1 ip4:211.236.180.109 ip4:211.236.180.110 ip4:211.236.180.111 ip4:211.236.180.112 ip4:211.236.180.113 ip4:211.236.180.114 ip4:211.236.180.115 ip4:211.236.180.116 ip4:211.236.180.117 ip4:211.236.180.118 ~all"
;; AUTHORITY SECTION:
gd21.net. 236 IN NS ns2.goldennet.co.kr.
gd21.net. 236 IN NS ns.goldennet.co.kr.
;; Query time: 83 msec
;; SERVER: 68.105.29.16#53(68.105.29.16)
;; WHEN: Tue Jul 24 12:31:55 2012
;; MSG SIZE rcvd: 2735
leslie-2:~ packetalien$ dig gd21.net txt | wc
35 283 3349
Richard Porter
--- ISC Handler on Duty
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago