[dns-operations] Lot's of TXT queries from Google

Wessels, Duane dwessels at verisign.com
Thu Oct 7 14:53:36 UTC 2021 

Moritz,

I can't explain the TXT queries, but the NS queries seem to be Google's method of doing qname minimization, with an added nonce value.  See https://indico.dns-oarc.net/event/39/contributions/864/ and https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes

DW


> On Oct 7, 2021, at 4:50 AM, Moritz Müller via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> 
> From: Moritz Müller <moritz.muller at sidn.nl>
> Subject: Lot's of TXT queries from Google
> Date: October 7, 2021 at 4:50:21 AM PDT
> To: <dns-operations at lists.dns-oarc.net>
> 
> 
> Hi,
> 
> For the second time in a few weeks we noticed a significant increase in queries for NS and TXT records at our .nl name servers, originating almost exclusively from the Public DNS resolvers of Google
> Did someone else noticed something similar or has an explanation?
> 
> In comparison to beginning of September, the number of NS queries increased 2 fold and the number of TXT queries almost 6 fold.
> At some point, 25% of all queries to our name servers for .nl where for TXT record.
> 
> The resolvers query either for a domain name following the pattern _dmarc.foo.nl or default._domainkey.foo.nl.
> Where foo is a random string, 12 characters long.
> 
> Examples are:
> _dmarc.mdvlxtagogij.nl.
> default._domainkey.vppj4svmbclt.nl.
> 
> The queried second level domain names are not registered and queries for the same domain name are repeated 3 to 5 times.
> At some point, 80% of all TXT queries from google had these patterns, 36% of all queries from Google resolvers.
> 
> The queries started ramping up around 2021-09-05 and reached their peak at 2021-09-18. They never reached a concerning level, but we first noticed them because our machine processing the incoming PCAP files couldn’t cope anymore.
> 
> We assume that this is likely not an attack but some tests/measurements, which got a bit out of hand. But since we don’t see the origin of the queries behind the Google resolvers, we’re not sure to whom to reach out.
> 
>> Moritz
> 
>> SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
> T +31 (0)26 352 55 00
> moritz.muller at sidn.nl | www.sidn.nl
> pgp key: https://pgp.mit.edu/pks/lookup?op=get&search=0x0AF8922B1659B448
> 
> 
> 
> Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://secure-web.cisco.com/1j0tUWdtkXBzH95d3NJuJ85PVsyNQjXNWdO32ER-v_iT_UjT59vzGAmM02xy_33dtoTHStrRux8cAZ5IJLBUBd0AnsjCN0CSNyR6a3HYO9F4zJlt7_KL2YK4NW13MBo9xJN5dqR6R0rKlERPBOlMfhxmZBw7tIJHwfTHN6lsPwpxyH2XxqTPH9HQTFkJ9A84Bq6Uhc9MQjU-TlN6ef9LLrCbsG7abZ9xqHMbBQLToaQcMLkmMTLbepYwv1EZH_Bn7UZUhfEVyND7-IIZxugF3ow/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4208 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211007/c4e20240/attachment.bin>

More information about the dns-operations mailing list