[dns-operations] Odd MX queries

Daniel Stirnimann daniel.stirnimann at switch.ch
Mon Mar 11 14:24:02 UTC 2013 

Hello

Since a few hours we see quite a large volume of MX queries on our TLD
as well as 2nd-level name-servers.

See attached pictures: dsc-tld-nameserver.png and
dsc-2nd-levelnameserver.png

One of the more prominent client which sends queries to both nameserver
is the IP address 203.45.217.122 (anders51.lnk.telstra.net.)
The IP is not listed on a Spamhaus blacklist
(http://www.spamhaus.org/query/bl?ip=203.45.217.122).

The query details look like this on the TLD nameserver:
"ip_ttl","src_port","qname"            ,"type","msg_id","msg_size","rd"
107     ,23173     ,"bittorrents24.ch."   ,"MX"  ,2       ,34        ,1
107     ,46272     ,"1h8g4qg54n.ch."      ,"MX"  ,81      ,31        ,1
107     ,6066      ,"engorgef.ch."        ,"MX"  ,170     ,29        ,1
107     ,39264     ,"telecool.ch."        ,"MX"  ,157     ,29        ,1
107     ,18894     ,"babaz.ch."           ,"MX"  ,96      ,26        ,1
107     ,19137     ,"badassteens.ch."     ,"MX"  ,148     ,32        ,1
107     ,43440     ,"bamiabear.ch."       ,"MX"  ,55      ,30        ,1
107     ,46299     ,"mail2reggie.ch."     ,"MX"  ,183     ,32        ,1
107     ,36840     ,"beckercap.ch."       ,"MX"  ,86      ,30        ,1
107     ,34205     ,"fgaieojkxl.ch."      ,"MX"  ,44      ,31        ,1
107     ,15345     ,"hayoz-holzbau.ch.ch.","MX"  ,144     ,37        ,1
107     ,33808     ,"bibulous.ch."        ,"MX"  ,133     ,29        ,1
107     ,6606      ,"bcbsnc.ch."          ,"MX"  ,46      ,27        ,1

and like this on the 2nd-level nameserver:
"ip_ttl","src_port","qname"             ,"type","msg_id","msg_size","rd"
107     ,27413     ,"rgac2.ethz.ch."    ,"MX"  ,84      ,31        ,1
107     ,62537     ,"sp052.cern.ch."    ,"MX"  ,217     ,31        ,1
106     ,65441     ,"sunpdp20.cern.ch." ,"MX"  ,55      ,34        ,1
107     ,52398     ,"hecvsante.ch."     ,"MX"  ,172     ,30        ,1
106     ,20194     ,"sunpdp20.cern.ch." ,"MX"  ,149     ,34        ,1
107     ,45914     ,"rgac2.ethz.ch."    ,"MX"  ,1       ,31        ,1
107     ,24860     ,"sp052.cern.ch."    ,"MX"  ,117     ,31        ,1
106     ,50578     ,"rgac2.ethz.ch."    ,"MX"  ,85      ,31        ,1
106     ,40725     ,"sp052.cern.ch."    ,"MX"  ,70      ,31        ,1
107     ,48133     ,"sunpdp20.cern.ch." ,"MX"  ,53      ,34        ,1
106     ,3974      ,"vxcrna.cern.ch."   ,"MX"  ,43      ,32        ,1

So, its clearly not normal resolver behavior as the query question is
not repeated and the RD bit is set (EDNS0 and DO bit is not used/set).
The client is using a large number of different domains and so evading
DNS-RRL. For example, within 15 minutes 3070 different query-names are
used. Within 60 minutes 4716 and within 4 hours 11193 different
query-names. The query-name which is repeated most is asked every 6-7
seconds.

Has anyone an idea what the source of this traffic pattern is? It's also
interesting to note that quite a lot of 2nd-level queries result in
NXDOMAIN responses.

Best regards,
Daniel

-- 
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 16 24, fax +41 44 268 15 78
daniel.stirnimann at switch.ch, http://www.switch.ch
Security-Blog: http://securityblog.switch.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsc-2nd-level-nameserver.png
Type: image/png
Size: 7131 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130311/73bfab88/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dsc-tld-nameserver.png
Type: image/png
Size: 6100 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130311/73bfab88/attachment-0001.png>

More information about the dns-operations mailing list