Greetings,
Anyone know anything about IP 128.232.0.31?
# host 128.232.0.31
31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk.
We have been getting persistent zone transfer attempts that originate from this IP address. We have had repeated zone transfer attempts against all of our DNS zones -- and against all 7 name servers that we manage. This has been going on now for about a month or two -- more or less. Recently, we have also seen attempts to do zone transfers for non-authoritative domains. Logging shows that this IP apparently never attempts to make legitimate DNS queries, only zone transfers.
Anyone know anything about this IP?
Anyone else have the appropriate logging enabled and also seeing this IP make zone transfer attempts?
Thoughts/comments/suggestions?
Thanks!
Jon
If you go to http://dns-probe.srg.cl.cam.ac.uk you will see that this
activity is part of a well-documented research project at Cambridge
University in the UK, which has a widely-respected computer laboratory.
I have, out of courtesy, forwarded your concerns to appropriate people
there but would assure everybody that this activity is entirely benign!
http://www.justfuckinggoogleit.com/
A search for:
128.232.0.31 axfr
brings up the one and only relevant hit. Too bad the IP isn't a "word" or
this would be a googlewhack.
If you really are seeing persistent requests from them (they say you
shouldn't) then you ought to contact them, provide logs, and show them
that their probe may be malfunctioning.
Our probe is very polite - if it has been turned away by a server, it
will not normally contact that server again.
Greetings,
Anyone know anything about IP 128.232.0.31? # host 128.232.0.31
31.0.232.128.in-addr.arpa domain name pointer
dns-probe.srg.cl.cam.ac.uk.
[...]
Anyone know anything about this IP?
Keep going, they make it pretty easy to figure out what is going on:
dig txt dns-probe.srg.cl.cam.ac.uk
; <<>> DiG 8.3 <<>> txt dns-probe.srg.cl.cam.ac.uk
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;; dns-probe.srg.cl.cam.ac.uk, type = TXT, class = IN
;; ANSWER SECTION:
dns-probe.srg.cl.cam.ac.uk. 6H IN TXT "pseudo IP address for machine doing research into DNS data"
dns-probe.srg.cl.cam.ac.uk. 6H IN TXT "See Computer Laboratory - Adam for details"
;; Total query time: 1134 msec
;; FROM: mighty.grot.org to SERVER: default -- 127.0.0.1
;; WHEN: Mon Jun 28 13:42:19 2004
;; MSG SIZE sent: 44 rcvd: 204