[dns-operations] root, PTR and www.google.com probes

John Kristoff jtk at cymru.com
Wed Jul 21 19:51:44 UTC 2010 

DNS probing in the wild isn't very common so I thought I would report
on some activity we've seen hitting a some of the DRG monitor pods.
Note, this is not a complete analysis, this is all I'm making time for.

There are at least 3 relatively widespread DNS query probes we've been
seeing. The first two of which appear to be related.

Probe 1:

    class: INTERNET
     type: NS
    qname: .
       rd: 0 (recursion not desired)
     EDNS: none
  targets: various around the globe and address space
  sources: ~65, all from a variety of .cn / .tw ISP routed netblocks
  started: ~2010-06-12 19:00 UTC

Probe 2:

    class: INTERNET
     type: PTR
    qname: D.C.B.A.in-addr.arpa. (*)
       rd: 0 (recursion not desired)
     EDNS: none
  sources: ~10, all from a variety of .cn ISP routed netblocks
  targets: various around the globe and address space
  started: ~2010-06-12 19:40 UTC

          (*) Where A.B.C.D is the public IPv4 address of the host the
              probe was sent to.

For the above two probes source hosts initially had a more sporadic
pattern, but more recently are sending in rapid succession 3 repeated
queries. Sources will probe again after about 20-40 minutes. The same
source port is used for each query in the set of 3, but sometimes
changes during the next interval and sometimes stays constant across
destinations for long times.   All the sources seen in the second probe
set were seen in the first.  For the common sources, they would
alternate between probe types. All these sources may be BIND servers as
many of them appear to fingerprint with a variety of BIND versions.

Probe 3:
    class: INTERNET
     type: A
    qname: www.google.com
       rd: 1 (recursion desired)
     EDNS: none
  sources: ~15, all from a variety of .cn ISP routed netblocks
  targets: various around the globe and address space
  started: ~2010-07-20 04:00 UTC

The only thing I see in common with the other two probes is that the
exact same set of DRG pods saw all the same types of probes.  That
could simply be an artifact of port 53 access on those networks,
otherwise this third probe appears to be unique. Each source, presuming
no spoofing, sends a repeat query to each destination about every 10
minutes.  All sources always use the same source port 53455. These
don't seem to respond as DNS servers.

These three probe scenarios are an ongoing phenomenon.

Its unclear to me what is behind this.  Given the origin of the sources
and likely silence I'll get about any inquiry into the activity I'm not
inclined to bother trying to find out more. For those that have an open
resolver or a server that gives back some unique answer, you might be
able to solicit more activity for more insight.

John

More information about the dns-operations mailing list