Resolvers setting answer bits in queries
Description:
Show a list of resolvers which send queries containing values which should only be present in answers:
- TC bit set
- RA bit set
- RCODE > 0
Note that these columns are only available as of ENTRADA 0.0.10
Impala Query:
select src, max(country) as country, count(*) as total_queries, sum(case when (q_tc=true or q_ra=true or q_rcode>0) then 1 else 0 end) as weird_queries, sum(q_tc) as q_tc, sum(q_ra) as q_ra, sum(case when q_rcode > 0 then 1 else 0 end) as q_rcodefrom dns.queries where year=2017 and month=9 group by src having weird_queries>0order by weird_queries desclimit 10
Example Output:
src | country | total_queries | weird_queries | q_tc | q_ra | q_rcode |
|---|---|---|---|---|---|---|
195.141.183.84 | CH | 20876 | 3082 | 0 | 0 | 3082 |
212.205.80.44 | GR | 11818 | 2963 | 0 | 0 | 2963 |
98.191.98.157 | US | 2512 | 2349 | 0 | 0 | 2349 |
195.167.37.93 | GR | 5409 | 1288 | 0 | 0 | 1288 |
91.209.84.9 | CH | 41629 | 713 | 0 | 0 | 713 |
46.18.202.87 | RU | 560 | 536 | 0 | 0 | 536 |
104.43.9.196 | SG | 429 | 398 | 398 | 0 | 0 |
213.198.82.40 | DE | 3912 | 386 | 0 | 0 | 386 |
141.122.189.112 | CH | 138001 | 196 | 0 | 0 | 196 |
212.243.142.98 | CH | 1560 | 158 | 0 | 0 | 158 |