[dns-operations] Odd query pattern

Florian Weimer fweimer at bfk.de
Wed Dec 22 16:27:06 UTC 2010


There are authoritative servers which receive the following sequence
of queries from a certain resolver (which appears to be legitimate and
also used as an authoritative server):

- a non-recursive query for EXAMPLE.COM, EDNS0-enabled, DO bit set,
  sometimes also with the CD bit set

- a query for XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM, where
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a label containing 32 characters
  which appear to be semi-random.  Again RD=0, but no EDNS0.

- a query for YYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM,
  YYYYYYYYYYYYYYYYYYYYYYYY and  XXXXXXXXXXXXXXXXXXXXXXXX are labels
  containing 32 characters which appear to be semi-random.
  RD=0, no EDNS0.

- Additional queries are received with more and more labels prepended,
  presumably until the maximum domain name length is reached.

- The resolver uses monotonically increasing source port numbers
  within the sequence, but the starting port number appears to be
  random.  (However, this could be a logging artefact.)

All these queries are spaced apart according to the estimated RTT
between authoritative server and the resolver, so they are likely
internal to the resolver's operation.  DNAME and CNAME are not
involved.

Most such query sequences begin with a query which receives a negative
response (and not a delegation, which rules out a measure to add
randomness to the query).  My initial suspicion was that this is
caused by misinterpreted RRSIG or NSEC3 records, but there is some
data that appears to contradict this hypothesis---most zones receiving
such queries are signed, but not all of them.

Has someone else seen such queries?  Does anybody know what causes
them?

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the dns-operations mailing list