[dns-operations] Odd query pattern
fweimer at bfk.de
Wed Dec 22 16:27:06 UTC 2010
There are authoritative servers which receive the following sequence
of queries from a certain resolver (which appears to be legitimate and
also used as an authoritative server):
- a non-recursive query for EXAMPLE.COM, EDNS0-enabled, DO bit set,
sometimes also with the CD bit set
- a query for XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM, where
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a label containing 32 characters
which appear to be semi-random. Again RD=0, but no EDNS0.
- a query for YYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM,
YYYYYYYYYYYYYYYYYYYYYYYY and XXXXXXXXXXXXXXXXXXXXXXXX are labels
containing 32 characters which appear to be semi-random.
RD=0, no EDNS0.
- Additional queries are received with more and more labels prepended,
presumably until the maximum domain name length is reached.
- The resolver uses monotonically increasing source port numbers
within the sequence, but the starting port number appears to be
random. (However, this could be a logging artefact.)
All these queries are spaced apart according to the estimated RTT
between authoritative server and the resolver, so they are likely
internal to the resolver's operation. DNAME and CNAME are not
Most such query sequences begin with a query which receives a negative
response (and not a delegation, which rules out a measure to add
randomness to the query). My initial suspicion was that this is
caused by misinterpreted RRSIG or NSEC3 records, but there is some
data that appears to contradict this hypothesis---most zones receiving
such queries are signed, but not all of them.
Has someone else seen such queries? Does anybody know what causes
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the dns-operations