FW: Preventing a particular type of nameserver abuse
Richard T.A. Neal
richard at richardneal.com
Wed Apr 14 08:07:15 UTC 2021
Paul Kosinksi wrote:
> Interesting observation. I just did lookups on 4 recent (< 24 hrs ago) 'sl/ANY/IN' queries logged by our BIND and got:
> ...1 OVH Hosting IP (Montreal)
> The whois info for the OVH IP contains the line:
> Comment: Failover IPs
Just out of interest, because I run some services on OVH, I know what that term means. When you rent a dedicated server from OVH you are assigned a single IPv4 address. Let's assume that you then want to use VMware or Hyper-V on that dedicated server to run some VMs - for many of those VMs you'll obviously want a distinct public IPv4 address. So OVH assign you what they term a "failover" block of IPv4 addresses. I don't know why they use that term, I just know that they do! So really it's just confirmation that it's an OVH customer (running a VM on a dedicated server) that is either the source IP or the spoofed target.
Best,
Richard.
More information about the bind-users
mailing list