Report of spike in DNS Queries gd21.net, (Tue, Jul 24th)

A reader reported (thanks @Scott) that he is observing a sudden jump in DNS Traffic all asking for the same thing.
Here is a snip from logs, slightly edited.

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#55148: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#63757: query: gd21.net IN TXT +E

Jul 24 13:28:56 ns1 named[3240]: client XX.194.158.62#50037: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#57822: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#21294: query: gd21.net IN TXT +E

Jul 24 13:28:57 ns1 named[3240]: client XX.194.158.62#6076: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#27221: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#34485: query: gd21.net IN TXT +E

Jul 24 13:28:58 ns1 named[3240]: client XX.194.158.62#56117: query: gd21.net IN TXT +E

** used with permission **

gd21.net seems to link to a Korean Shopping site of some kind. As always, use caution when following links

Is anyone else seeing this? If so could you report it?

UPDATE:

Starting to look like reflective amplified DOS. If you are seeing this let us know.

Truncated, retrying in TCP mode.

DiG 9.7.3-P3 -HEADER QUERY: 1, ANSWER: 13, AUTHORITY: 2, ADDITIONAL: 0

gd21.net. IN TXT

ANSWER SECTION:

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.119 ip4:211.236.180.120 ip4:211.236.180.121 ip4:211.236.180.122 ip4:211.236.180.123 ip4:211.236.180.124 ip4:211.236.180.125 ip4:211.236.180.126 ip4:211.236.180.127 ip4:211.236.180.128 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.118 ip4:211.236.180.40 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.9 ip4:211.236.180.10 ip4:211.236.180.11 ip4:211.236.180.12 ip4:211.236.180.13 ip4:211.236.180.14 ip4:211.236.180.15 ip4:211.236.180.16 ip4:211.236.180.17 ip4:211.236.180.18 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.19 ip4:211.236.180.20 ip4:211.236.180.21 ip4:211.236.180.22 ip4:211.236.180.23 ip4:211.236.180.24 ip4:211.236.180.25 ip4:211.236.180.26 ip4:211.236.180.27 ip4:211.236.180.28 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.29 ip4:211.236.180.30 ip4:211.236.180.31 ip4:211.236.180.32 ip4:211.236.180.33 ip4:211.236.180.34 ip4:211.236.180.35 ip4:211.236.180.36 ip4:211.236.180.37 ip4:211.236.180.38 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.39 ip4:211.236.180.40 ip4:211.236.180.41 ip4:211.236.180.42 ip4:211.236.180.43 ip4:211.236.180.44 ip4:211.236.180.45 ip4:211.236.180.46 ip4:211.236.180.47 ip4:211.236.180.48 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.49 ip4:211.236.180.50 ip4:211.236.180.51 ip4:211.236.180.52 ip4:211.236.180.53 ip4:211.236.180.54 ip4:211.236.180.55 ip4:211.236.180.56 ip4:211.236.180.57 ip4:211.236.180.58 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.59 ip4:211.236.180.60 ip4:211.236.180.61 ip4:211.236.180.62 ip4:211.236.180.63 ip4:211.236.180.64 ip4:211.236.180.65 ip4:211.236.180.66 ip4:211.236.180.67 ip4:211.236.180.68 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.69 ip4:211.236.180.70 ip4:211.236.180.71 ip4:211.236.180.72 ip4:211.236.180.73 ip4:211.236.180.74 ip4:211.236.180.75 ip4:211.236.180.76 ip4:211.236.180.77 ip4:211.236.180.78 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.79 ip4:211.236.180.80 ip4:211.236.180.81 ip4:211.236.180.82 ip4:211.236.180.83 ip4:211.236.180.84 ip4:211.236.180.85 ip4:211.236.180.86 ip4:211.236.180.87 ip4:211.236.180.88 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.89 ip4:211.236.180.90 ip4:211.236.180.91 ip4:211.236.180.92 ip4:211.236.180.93 ip4:211.236.180.94 ip4:211.236.180.95 ip4:211.236.180.96 ip4:211.236.180.97 ip4:211.236.180.98 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.99 ip4:211.236.180.100 ip4:211.236.180.101 ip4:211.236.180.102 ip4:211.236.180.103 ip4:211.236.180.104 ip4:211.236.180.105 ip4:211.236.180.106 ip4:211.236.180.107 ip4:211.236.180.108 ~all

gd21.net. 236 IN TXT v=spf1 ip4:211.236.180.109 ip4:211.236.180.110 ip4:211.236.180.111 ip4:211.236.180.112 ip4:211.236.180.113 ip4:211.236.180.114 ip4:211.236.180.115 ip4:211.236.180.116 ip4:211.236.180.117 ip4:211.236.180.118 ~all

AUTHORITY SECTION:

gd21.net. 236 IN NS ns2.goldennet.co.kr.

gd21.net. 236 IN NS ns.goldennet.co.kr.

MSG SIZE rcvd: 2735

leslie-2:~ packetalien$ dig gd21.net txt | wc

35 283 3349

Richard Porter
--- ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Report of spike in DNS Queries gd21.net, (Tue, Jul 24th)

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112