[dns-operations] Lots of queries for TXT records?

[Chris Adams]

Once upon a time, Michael Sinatra <michael at rancid.berkeley.edu> said:
> On 4/8/09 6:02 AM, Chris Adams wrote:
> >Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
> >>I am seeing a lot of queries for TXT records for "deepholeforyou.info"
> >>from a number of clients (many making several dozen requests per
> >>second).
> >
> >Now that has stopped, and I'm seeing lots of queries for MX records for
> >"-m.", possibly from the same users as before.
> >
> >Maybe a virus writer made a typo?
> 
> Yep, I am seeing the same thing, from the same hosts (also port 1024).
> 
> I am also seeing these same hosts query for '. ANY'.  The interesting 
> thing is that the source addresses don't seem to be spoofed (we run uRPF 
> internally, and these are from internal hosts and we do BCP38 at the 
> border), so it's hard to see how this is could be a *successful* 
> reflection attack.

In our case, it appears to all be coming from customer DSL routers.
Even when running NAT, a number of models of consumer routers appear to
proxy DNS requests made on the WAN interface back to our nameservers.

So, someone can send small requests to the devices that cause them to
receive much larger answers, possibly filling their downstream bandwidth
(especially the hits yesterday on the large TXT records).
-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.