[dns-operations] Interesting increase in query volumes

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 29 07:34:32 UTC 2021

On Mon, Nov 29, 2021 at 07:35:48AM +0100, Lars-Johan Liman wrote:

> It would be interesting to hear from other TLD operators if they see
> similar query patterns, and if so, what effect that has on their
> services.

Yes, this was recently discussed on OARC's Mattermost "Town Hall" forum,
IIRC in the context of .NL, with the queries emanating mostly from
Google, rather than Microsoft.

The consensus conjecture is that this traffic is normal query traffic
from email servers, while validating DKIM/DMARC headers in high-volume
spam runs.  The victim TLD was used to generate DKIM signatures
purportedly on behalf of non-existent domains in whatever TLD seemed
most convenient to the spammer.

There's not much to be done about this.  MTAs do DKIM checks early, so
as to potentially apply the right reputation score to the source before
choosing other filters, ...  So likely don't yet have much data to
determine that the DKIM signatures are dodgy.

The solutions are to take down the botnet, BCP 38, adding consumer
IP blocks to the SpamHaus PBL (or similar), ...

By the time the DKIM signature needs checking, expect DNS queries at
whatever rate the spammer is able to inflict on Google, Microsoft
and others.

It will sadly bring you no joy that my personal MTA handling ~300
messages a day does not make any effort to validate SPF, DKIM or DMARC
and is not source of the corresponding DNS queries.


More information about the dns-operations mailing list