[dns-operations] Anybody know the reason for dev and dev.home DNS queries?

Petr Špaček petr.spacek at nic.cz
Wed Feb 7 06:47:17 UTC 2018 


On 6.2.2018 16:36, bjorn.hellqvist at teliacompany.com wrote:
> Hi, 
> 
> I can confirm that we also see these. But not even close to the volume you see. 
> A guess would be more in the area of 25.000 per hour. 
> 
> It would be good to know what is causing this. 
> 
> We also see that it pads .dev. or .dev.Home. to regular queries in the end
> 
> Like for example:
> time.microsoft.akadns.net.Home
> graph.facebook.com.Home
> 
> or
> <WINDOWS-NAME>.Home.

My personal wild guess:

"Home" suffix and similar most likely comes from DNS search lists, which
most likely come from DHCP configuration.

Speaking of "dev", I would look if sharp increase in such queries
coincides with Google Chrome/Google-something-else update, I can imagine
forgotten debug code in Chrome causing this (as dev. is owned by Google).

Petr Špaček  @  CZ.NIC


>> -----Original Message-----
>> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>> Behalf Of sthaug at nethelp.no
>> Sent: den 3 februari 2018 12:45
>> To: dns-operations at dns-oarc.net
>> Subject: [dns-operations] Anybody know the reason for dev and dev.home
>> DNS queries?
>>
>> Yesterday around 19:00 UTC our resolvers started receiving significant
>> number of A queries for dev and dev.home. The queries seem to be coming
>> from all over our customer base, and the same clients are asking the same
>> questions repeatedly, as in
>>
>> 12:39:22.463999 IP 81.191.187.50.55370 > 193.75.75.193.53: 12+ A? dev. (21)
>> 12:39:22.491596 IP 81.191.187.50.49679 > 193.75.75.193.53: 13+ A? dev.Home.
>> (26)
>> 12:39:22.941006 IP 81.191.187.50.42348 > 193.75.75.193.53: 4+ A? dev. (21)
>> 12:39:22.968832 IP 81.191.187.50.51374 > 193.75.75.193.53: 5+ A? dev.Home.
>> (26)
>> 12:39:23.036843 IP 81.191.187.50.58315 > 193.75.75.193.53: 8+ A? dev. (21)
>> 12:39:23.064707 IP 81.191.187.50.53462 > 193.75.75.193.53: 9+ A? dev.Home.
>> (26)
>> 12:39:23.132926 IP 81.191.187.50.52533 > 193.75.75.193.53: 12+ A? dev. (21)
>> 12:39:23.160834 IP 81.191.187.50.39345 > 193.75.75.193.53: 13+ A? dev.Home.
>> (26)
>>
>> (repeat ad nauseam)
>>
>> We're currently receiving many thousands of qps for these two names.
>> Anybody know what is the cause of these queries? I tried googling, but
>> clearly google skills aren't good enough.
>>
>> Steinar Haug, AS2116

More information about the dns-operations mailing list