Apple harvest and juice

Some months ago, I set up a small Hadoop platform to ingest DNS data through ENTRADA by SIDN Labs from my primary nameserver as a PoC. Unfortunately, I did not have time to actually look at the data until now. It turns out, it has collected a little over 30 million queries in that time, which of course can hardly be called big data. Here are some first impressions of what I can glean from the data.

DANE is starting to get used, mostly for e-mail, some jabber, and a few for The Web, and 3166 qureies in total.

DMARC is getting used as well, with a meagre 1237 queries, but that’s probably more a reflection of how much email I sent to Gmail, Yahoo! Mail, Hotmail, etc.

More surprisingly, which actually should not surprise anyone, is how much my private DNSBL rbl.fnidder.dk is still used, despite it being shut down, I can’t even remember how long ago, but it must be over 10 years. Once on the Internet, always on the Internet.

If anyone recognises themselves behind these IP addresses, go remove the list as it’s returning positive results for everything and is utterly useless to you.

select count(src) as count,src from queries where qname like ‘%rbl.fnidder.dk.’ group by src order by count desc;

src count
209.225.8.164 3585
200.189.161.34 3253
2401:1c00:0:103:0:0:0:3 1410
121.200.225.67 1376
200.189.161.35 1029
194.25.0.52 785
195.28.207.2 390
194.25.0.60 308
2003:40:4000:1:53:0:3:1 256
2003:40:4000:1:53:0:1:1 235
2003:40:4000:1:53:0:2:1 223
193.218.117.60 108
2003:56:0:1:53:0:1:1 108
2003:56:0:1:53:0:3:1 101
2003:56:0:1:53:0:2:1 96
195.50.140.51 90
195.28.207.14 44
46.218.232.98 33
195.50.140.53 28
217.237.148.88 18
2003:180:2:6000:53:0:9:1 15
2003:180:2:6000:53:0:12:1 15
195.50.140.45 12
2003:180:2:2000:53:0:13:1 12
217.237.149.219 12
2003:180:2:1000:53:0:9:1 10
2003:180:2:1000:53:0:13:1 9
195.50.140.59 9
217.237.148.84 9
60.234.2.148 9
217.237.151.218 8
195.50.140.52 8
217.237.149.222 6
2003:180:2:1000:53:0:15:1 6
217.237.148.90 5
203.144.207.45 4
2003:180:2:1000:53:0:10:1 4
195.50.140.44 4
217.237.151.217 4
2003:180:2:0:53:0:12:1 3
2003:180:2:1000:53:0:16:1 3
2003:180:2:1000:53:0:12:1 3
2003:180:2:1000:53:0:14:1 3
60.234.2.156 3
186.218.216.5 2
217.23.11.8 2
217.237.151.214 2
203.162.107.13 2
119.46.240.1 2
2003:180:2:6000:53:0:10:1 2
217.237.148.91 2
5.22.161.138 2
5.22.160.34 2
203.162.107.36 2
203.144.206.12 2
2403:6200:1:0:1:0:0:3 2
203.144.128.41 2
203.162.107.14 2
217.237.148.89 2
31.184.236.24 2
2003:180:2:2000:53:0:12:1 2
217.237.149.220 2
2600:3c02:0:0:0:0:0:5 2
203.162.107.6 2
27.68.251.142 2
217.237.151.35 2
204.194.239.19 2
203.144.207.12 2
72.68.153.110 2
46.166.165.131 1
217.237.151.215 1
210.245.24.72 1
217.237.149.211 1
217.237.148.85 1
201.10.132.5 1
2003:180:2:0:53:0:15:1 1
2801:80:60:1:189:90:160:1 1
45.33.99.176 1
2003:180:2:1000:53:0:11:1 1
88.73.206.254 1
2620:0:cc7:0:0:0:0:19 1
218.248.255.197 1
203.144.206.11 1
2003:180:2:2000:53:0:14:1 1
2003:180:2:2000:53:0:9:1 1
82.103.86.62 1
210.245.24.79 1
210.245.24.102 1
121.1.3.199 1
2607:5300:61:95c:0:0:0:0 1
82.163.143.10 1
2003:180:2:2000:53:0:15:1 1
210.245.24.101 1
217.237.151.220 1

Usually, I post these small titbits of information on the modern “Social” media, but since Twitter is failing yet again, it might be a good time to dust of this good ol’ blog.

Geoff Huston of APNIC wrote yet another great article, this time about the adagio that the Internet of Things needs IPv6, and viceversa, that IoT is the killer App of IPv6. Do they really? Do read the whole article.

I do want to highlight one quote about NAT as a security feature:

All devices need to be paranoid. Trust is the outcome of negotiation, and obscurity is a lousy substitute for an effective security framework.

Indeed. NAT is not security, and security by obscurity has never helped anyone. Be paranoid. Assume the worst. It will only get better from there.