Lot's of TXT queries from Google

Moritz Müller moritz.muller at sidn.nl
Thu Oct 7 11:50:21 UTC 2021


For the second time in a few weeks we noticed a significant increase in queries for NS and TXT records at our .nl name servers, originating almost exclusively from the Public DNS resolvers of Google
Did someone else noticed something similar or has an explanation?

In comparison to beginning of September, the number of NS queries increased 2 fold and the number of TXT queries almost 6 fold.
At some point, 25% of all queries to our name servers for .nl where for TXT record.

The resolvers query either for a domain name following the pattern _dmarc.foo.nl or default._domainkey.foo.nl.
Where foo is a random string, 12 characters long.

Examples are:

The queried second level domain names are not registered and queries for the same domain name are repeated 3 to 5 times.
At some point, 80% of all TXT queries from google had these patterns, 36% of all queries from Google resolvers.

The queries started ramping up around 2021-09-05 and reached their peak at 2021-09-18. They never reached a concerning level, but we first noticed them because our machine processing the incoming PCAP files couldn’t cope anymore.

We assume that this is likely not an attack but some tests/measurements, which got a bit out of hand. But since we don’t see the origin of the queries behind the Google resolvers, we’re not sure to whom to reach out.


SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 00
moritz.muller at sidn.nl | www.sidn.nl
pgp key: https://pgp.mit.edu/pks/lookup?op=get&search=0x0AF8922B1659B448

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211007/d2200543/attachment.sig>

More information about the dns-operations mailing list