On Fri, Jun 15, 2018 at 6:44 AM Tony Finch <dot@dotat.at> wrote:
I've got what appears to be some end-user devices sending _ta-4a5c queries. I'm tracking them down with:
tcpdump -s0 -n -p -i any -vvv -X dst port 53 and \ \( ip[0x28:4] == 0x085f7461 or ip6[0x3c:4] == 0x085f7461 \)
This expression looks for DNS query names that start with an 8 character label beginning '_ta'. I thought this might be useful for others.
Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth: West or southwest 3 or 4, increasing 5 or 6. Slight or moderate. Showers later. Moderate or good. _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
I am seeing queries for "_ta-4a5c-4f66" Are those the 'correct' KSK's? -- Bob Harold