[dns-operations] Lot's of TXT queries from Google

Arsen STASIC arsen.stasic at univie.ac.at
Thu Oct 7 13:00:52 UTC 2021


Hi,

just guessing maybe its related to https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes

cheers,
-arsen


* Moritz Müller <moritz.muller at sidn.nl> [2021-10-07 13:50 (+0200)]:
>Hi,
>
>For the second time in a few weeks we noticed a significant increase in queries for NS and TXT records at our .nl name servers, originating almost exclusively from the Public DNS resolvers of Google
>Did someone else noticed something similar or has an explanation?
>
>In comparison to beginning of September, the number of NS queries increased 2 fold and the number of TXT queries almost 6 fold.
>At some point, 25% of all queries to our name servers for .nl where for TXT record.
>
>The resolvers query either for a domain name following the pattern _dmarc.foo.nl or default._domainkey.foo.nl.
>Where foo is a random string, 12 characters long.
>
>Examples are:
>_dmarc.mdvlxtagogij.nl.
>default._domainkey.vppj4svmbclt.nl.
>
>The queried second level domain names are not registered and queries for the same domain name are repeated 3 to 5 times.
>At some point, 80% of all TXT queries from google had these patterns, 36% of all queries from Google resolvers.
>
>The queries started ramping up around 2021-09-05 and reached their peak at 2021-09-18. They never reached a concerning level, but we first noticed them because our machine processing the incoming PCAP files couldn’t cope anymore.
>
>We assume that this is likely not an attack but some tests/measurements, which got a bit out of hand. But since we don’t see the origin of the queries behind the Google resolvers, we’re not sure to whom to reach out.
>
>>Moritz
>
>>SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
>T +31 (0)26 352 55 00
>moritz.muller at sidn.nl | www.sidn.nl
>pgp key: https://pgp.mit.edu/pks/lookup?op=get&search=0x0AF8922B1659B448
>





More information about the dns-operations mailing list