[dns-operations] Lots of queries for TXT records?

Ken A ka at pacific.net
Thu Apr 9 15:55:01 UTC 2009

Chris Adams wrote:
> Once upon a time, Michael Sinatra <michael at rancid.berkeley.edu> said:
>> On 4/8/09 6:02 AM, Chris Adams wrote:
>>> Once upon a time, Chris Adams <cmadams at hiwaay.net> said:
>>>> I am seeing a lot of queries for TXT records for "deepholeforyou.info"
>>> >from a number of clients (many making several dozen requests per
>>>> second).
>>> Now that has stopped, and I'm seeing lots of queries for MX records for
>>> "-m.", possibly from the same users as before.
>>> Maybe a virus writer made a typo?
>> Yep, I am seeing the same thing, from the same hosts (also port 1024).
>> I am also seeing these same hosts query for '. ANY'.  The interesting 
>> thing is that the source addresses don't seem to be spoofed (we run uRPF 
>> internally, and these are from internal hosts and we do BCP38 at the 
>> border), so it's hard to see how this is could be a *successful* 
>> reflection attack.
> In our case, it appears to all be coming from customer DSL routers.
> Even when running NAT, a number of models of consumer routers appear to
> proxy DNS requests made on the WAN interface back to our nameservers.

Are they listening on udp 53 on the wan interface? Do you know which dsl 
router models are doing this? Sounds like a bug that needs to be fixed.

> So, someone can send small requests to the devices that cause them to
> receive much larger answers, possibly filling their downstream bandwidth
> (especially the hits yesterday on the large TXT records).

Ken Anderson
Pacific Internet - http://www.pacific.net

More information about the dns-operations mailing list