III. bogus queries data from our earlier study: bogus A queries to root servers for a few hours at f-root in 2001 A queries ask for the IP address of a hostname malformed A queries were 14% of the load at F.root asking for the IP address of an IP address example: "A 206.168.0.4" - should not happen guilty: Microsoft Win2k resolver, viruses (win95/98/nt), macOSX resolver (good news: with our help, Microsoft found and fixed this bug in Win2k (although the way to turn off a bad default configuration is 6 or so menus deep...) 20% of queries asking for non-existent TLD lots of internal microsoft names (active directory) lots ending in .local, .localhost, .workgroup, .msft, .domain, etc. hard to track down, nameservers just relay clients queries cannot see back to the actual client that asked the question