[dns-operations] Odd query pattern

Wessels, Duane dwessels at verisign.com
Wed Dec 22 17:14:07 UTC 2010


On Dec 22, 2010, at 8:27 AM, Florian Weimer wrote:

> There are authoritative servers which receive the following sequence
> of queries from a certain resolver (which appears to be legitimate and
> also used as an authoritative server):
> 
> - a non-recursive query for EXAMPLE.COM, EDNS0-enabled, DO bit set,
>  sometimes also with the CD bit set
> 
> - a query for XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM, where
>  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a label containing 32 characters
>  which appear to be semi-random.  Again RD=0, but no EDNS0.
> 
> - a query for YYYYYYYYYYYYYYYYYYYYYYYY.XXXXXXXXXXXXXXXXXXXXXXXX.EXAMPLE.COM,
>  YYYYYYYYYYYYYYYYYYYYYYYY and  XXXXXXXXXXXXXXXXXXXXXXXX are labels
>  containing 32 characters which appear to be semi-random.
>  RD=0, no EDNS0.
> 

Kind of looks like someone trying to do NSEC[3] walking and getting it
horribly wrong?

Duane W.




More information about the dns-operations mailing list