[dns-operations] Lot's of TXT queries from Google

[Matt Nordhoff]

On Thu, Oct 7, 2021 at 11:53 AM Moritz Müller via dns-operations
<dns-operations at dns-oarc.net> wrote:
> Hi,
>
> For the second time in a few weeks we noticed a significant increase in queries for NS and TXT records at our .nl name servers, originating almost exclusively from the Public DNS resolvers of Google
> Did someone else noticed something similar or has an explanation?
>
> In comparison to beginning of September, the number of NS queries increased 2 fold and the number of TXT queries almost 6 fold.
> At some point, 25% of all queries to our name servers for .nl where for TXT record.
>
> The resolvers query either for a domain name following the pattern _dmarc.foo.nl or default._domainkey.foo.nl.
> Where foo is a random string, 12 characters long.
>
> Examples are:
> _dmarc.mdvlxtagogij.nl.
> default._domainkey.vppj4svmbclt.nl.
>
> The queried second level domain names are not registered and queries for the same domain name are repeated 3 to 5 times.
> At some point, 80% of all TXT queries from google had these patterns, 36% of all queries from Google resolvers.
>
> The queries started ramping up around 2021-09-05 and reached their peak at 2021-09-18. They never reached a concerning level, but we first noticed them because our machine processing the incoming PCAP files couldn’t cope anymore.
>
> We assume that this is likely not an attack but some tests/measurements, which got a bit out of hand. But since we don’t see the origin of the queries behind the Google resolvers, we’re not sure to whom to reach out.

>From another perspective, I own some domains in a different ccTLD, and
they get a constant low volume of similar DNS queries, and daily DMARC
reports from major mail providers showing that spam is being sent from
spoofed random subdomains of my domains.

It's mostly died down over the last week.

Maybe the spammers switched to .nl?
-- 
Matt Nordhoff