[unisog] Honeypot in Netherlands mirroring entire DNS structures for some .edu's

Bill Owens owens at nysernet.org
Thu Nov 16 21:07:26 GMT 2006

On Thu, Nov 16, 2006 at 01:59:11PM -0600, John C. A. Bambenek wrote:
> All-
> We just discovered that there is a machine in the Netherlands that is
> apparently running a honeypot and is mirroring entire DNS structures for
> some .edu domains.

The zone consists of wildcards:

[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu
thisisnotarealname.uiuc.eu. 86400 IN    A
[cookiemonster:~] owens% dig +noall +answer thisisnotarealname.uiuc.eu mx
thisisnotarealname.uiuc.eu. 86400 IN    MX      5 mail.verkeerspark.nl.

I have no idea whether this activity is malicious or not, but it isn't 'mirroring' domains, only registering them under .eu with the wildcards above (and possibly others).


More information about the unisog mailing list