[dns-operations] s3.amazonaws.com problem?

Daniel Stirnimann daniel.stirnimann at switch.ch
Wed Oct 23 12:37:21 UTC 2019


I have located a host in our network which sends such queries the
network resolver (which we operate):

mqfgioo5.s3.amazonaws[.]com. IN CNAME
6l-dpfrn.s3.amazonaws[.]com. IN CNAME
2idg5c42.s3.amazonaws[.]com. IN CNAME
qzq3uz5m.s3.amazonaws[.]com. IN CNAME
nenkxm2p.s3.amazonaws[.]com. IN CNAME
yk2max6j.s3.amazonaws[.]com. IN CNAME
qhcbric2.s3.amazonaws[.]com. IN CNAME
wg-jmekf.s3.amazonaws[.]com. IN CNAME
dnwn2ip1.s3.amazonaws[.]com. IN CNAME
711o385.s3.amazonaws[.]com. IN CNAME
rn0v02a6.s3.amazonaws[.]com. IN CNAME
pm1a3a4t.s3.amazonaws[.]com. IN CNAME
0xc.tibo.s3.amazonaws[.]com. IN CNAME
76jt.m9g.s3.amazonaws[.]com. IN CNAME
4tjc8hp.s3.amazonaws[.]com. IN CNAME
b-.9ft7y.s3.amazonaws[.]com. IN CNAME

Interestingly, it also sends other suspicious queries such as:

. IN TYPE1847
. IN TYPE1847
. IN TYPE567
. IN TYPE1847
. IN TYPE567
. IN TYPE1847
. IN TYPE1847
. IN TYPE1900
. IN TYPE823
. IN TYPE1900
. IN TYPE1847
7a4. IN TYPE868
. IN TYPE1847
. IN TYPE1847
. IN TYPE1900
. IN TYPE1847
. IN TYPE1847
3n2y. IN TYPE612
. IN TYPE311
. IN TYPE1900

However, these are mostly answered from cache because of aggressive use
of DNSSEC-validated cache. Still, I guess root server operators may see
an increase in queries with unassigned query types.

Daniel



More information about the dns-operations mailing list