[dns-operations] Random Subdomain Strangeness

Klaus Darilion klaus.mailinglists at pernau.at
Mon Apr 15 18:12:29 UTC 2019


Hello!

Quite often, on our authoritative nameservers, we see random (or not
random?) subdomain queries triggering NXDOMAIN at a high rate, ie.
20.000 q/s, globally distributed with src-IP addresses from various
ISP-resolvers and public resolver services.

The subdomains looks like random variants from IT-dictionaries - see below.

Does anyone have an idea where these queries come from?
- Random Subdomain Attack? Then the query rate is too low.
- Vulnerability Scans? Would not have that distributed sources.
- Zone enumeration?

Thanks
Klaus

elbv1-www.gtm4.ourcustomer.com
swaggerv2-www.gtm4.ourcustomer.com
www-nodev2.gtm4.ourcustomer.com
v3-srv-cn.gtm4.ourcustomer.com
www-ftpv2.gtm4.ourcustomer.com
v2-ops-cn.gtm4.ourcustomer.com
wwwftpv0.gtm4.ourcustomer.com
cnservicev2.gtm4.ourcustomer.com
wwwsolr-v2.gtm4.ourcustomer.com
rabbitmqv3-www.wip.ourcustomer.com
www-rabbitmq-v4.wip.ourcustomer.com
v1-zookeeper-www.wip.ourcustomer.com
v1-rabbitmq-www.wip.ourcustomer.com
wwwsynlogv3.wip.ourcustomer.com
www-v2-external.wip.ourcustomer.com
wwwrsyslog-v3.wip.ourcustomer.com
wwwsynlogv1.wip.ourcustomer.com

The 3rd label is constant for a while, and then changes.

anais.linode.othercustomer.com
makegeorgiawork.othercustomer.com
mardoc.othercustomer.com
laxextern-gateway.othercustomer.com
livecycle.othercustomer.com
lab2-mobi.othercustomer.com
2195782745.log.othercustomer.com
kazzblog.othercustomer.com
konichiwa0907.othercustomer.com
joseline.othercustomer.com
lagukita.othercustomer.com
julienlefloch.othercustomer.com
julienloizelet.othercustomer.com
www.karolyhaza.othercustomer.com
karomaza.othercustomer.com
jet.othercustomer.com
lps-api-staging-7.othercustomer.com
lecanzonideicartoni.othercustomer.com
leadthechange.othercustomer.com
www.klubicko.othercustomer.com
koyot.othercustomer.com
590813392.log.othercustomer.com
leccebc.othercustomer.com
internet-latinoamerica.othercustomer.com
www1.limesurvey.othercustomer.com
www.koyulhisar.othercustomer.com
www.kzn.othercustomer.com
6161611151.log.othercustomer.com
www.leiratkozas.othercustomer.com
leipzigde01.othercustomer.com
0-checkpoint.riag.com.library.othercustomer.com
0-www.rep.routledge.com.library.othercustomer.com
intranetuat.othercustomer.com
lps-jenkins-akamai.othercustomer.com
krispy.othercustomer.com
qa.kriss.othercustomer.com
www.exchange.lfo.othercustomer.com
kinayems.othercustomer.com
lehighacres.othercustomer.com
lauryn.othercustomer.com
jetsmarter.othercustomer.com
jriver.othercustomer.com
lb1staging.othercustomer.com
lehighvalleyhomes.othercustomer.com
www.testqa.kr.othercustomer.com





More information about the dns-operations mailing list