[dns-operations] Anybody know the reason for dev and dev.home DNS queries?

Edwin Groothuis edwin at mavetju.org
Wed Feb 7 22:34:30 UTC 2018 

> Google-something-else update

Chromecast comes to mind.

Edwin


On 7 February 2018 at 17:47, Petr Špaček <petr.spacek at nic.cz> wrote:

>
>
> On 6.2.2018 16:36, bjorn.hellqvist at teliacompany.com wrote:
> > Hi,
> >
> > I can confirm that we also see these. But not even close to the volume
> you see.
> > A guess would be more in the area of 25.000 per hour.
> >
> > It would be good to know what is causing this.
> >
> > We also see that it pads .dev. or .dev.Home. to regular queries in the
> end
> >
> > Like for example:
> > time.microsoft.akadns.net.Home
> > graph.facebook.com.Home
> >
> > or
> > <WINDOWS-NAME>.Home.
>
> My personal wild guess:
>
> "Home" suffix and similar most likely comes from DNS search lists, which
> most likely come from DHCP configuration.
>
> Speaking of "dev", I would look if sharp increase in such queries
> coincides with Google Chrome/Google-something-else update, I can imagine
> forgotten debug code in Chrome causing this (as dev. is owned by Google).
>
> Petr Špaček  @  CZ.NIC
>
>
> >> -----Original Message-----
> >> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
> >> Behalf Of sthaug at nethelp.no
> >> Sent: den 3 februari 2018 12:45
> >> To: dns-operations at dns-oarc.net
> >> Subject: [dns-operations] Anybody know the reason for dev and dev.home
> >> DNS queries?
> >>
> >> Yesterday around 19:00 UTC our resolvers started receiving significant
> >> number of A queries for dev and dev.home. The queries seem to be coming
> >> from all over our customer base, and the same clients are asking the
> same
> >> questions repeatedly, as in
> >>
> >> 12:39:22.463999 IP 81.191.187.50.55370 > 193.75.75.193.53: 12+ A? dev.
> (21)
> >> 12:39:22.491596 IP 81.191.187.50.49679 > 193.75.75.193.53: 13+ A?
> dev.Home.
> >> (26)
> >> 12:39:22.941006 IP 81.191.187.50.42348 > 193.75.75.193.53: 4+ A? dev.
> (21)
> >> 12:39:22.968832 IP 81.191.187.50.51374 > 193.75.75.193.53: 5+ A?
> dev.Home.
> >> (26)
> >> 12:39:23.036843 IP 81.191.187.50.58315 > 193.75.75.193.53: 8+ A? dev.
> (21)
> >> 12:39:23.064707 IP 81.191.187.50.53462 > 193.75.75.193.53: 9+ A?
> dev.Home.
> >> (26)
> >> 12:39:23.132926 IP 81.191.187.50.52533 > 193.75.75.193.53: 12+ A? dev.
> (21)
> >> 12:39:23.160834 IP 81.191.187.50.39345 > 193.75.75.193.53: 13+ A?
> dev.Home.
> >> (26)
> >>
> >> (repeat ad nauseam)
> >>
> >> We're currently receiving many thousands of qps for these two names.
> >> Anybody know what is the cause of these queries? I tried googling, but
> >> clearly google skills aren't good enough.
> >>
> >> Steinar Haug, AS2116
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180208/1f3f9714/attachment.html>

More information about the dns-operations mailing list