[dns-operations] Lot's of TXT queries from Google

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Oct 7 14:56:12 UTC 2021 

On Thu, Oct 07, 2021 at 01:50:21PM +0200, Moritz Müller via dns-operations wrote:

> For the second time in a few weeks we noticed a significant increase
> in queries for NS and TXT records at our .nl name servers, originating
> almost exclusively from the Public DNS resolvers of Google Did someone
> else noticed something similar or has an explanation?

Well, FWIW, it is not my DNSSEC/DANE survey.  I don't query for TXT
records, and if the traffic came from me, you'd see roughly equal query
volumes from Google and Cloudflare, the queries would be primarily for
the DS and NS records of extant signed domains.

> In comparison to beginning of September, the number of NS queries
> increased 2 fold and the number of TXT queries almost 6 fold.  At some
> point, 25% of all queries to our name servers for .nl where for TXT
> record.
>
> The resolvers query either for a domain name following the pattern
> _dmarc.foo.nl or default._domainkey.foo.nl.  Where foo is a random
> string, 12 characters long.

Rapid7's project sonar collects various TXT records, but again I'd
expect mostly extant names, with a variety of qname lengths.

> Examples are:
> _dmarc.mdvlxtagogij.nl.
> default._domainkey.vppj4svmbclt.nl.
>
> The queried second level domain names are not registered and queries
> for the same domain name are repeated 3 to 5 times.  At some point,
> 80% of all TXT queries from google had these patterns, 36% of all
> queries from Google resolvers.

I wonder whether this is an attempt to collect the NSEC3 chain for an
off-line dictionary attack?  12 character random names are long enough
to sample the space very well, though shorter strings would also do.

> We assume that this is likely not an attack but some
> tests/measurements, which got a bit out of hand. But since we don’t
> see the origin of the queries behind the Google resolvers, we’re not
> sure to whom to reach out.

Also seems plausible.  If spammers were trying to send from "random"
domains, they'd likely be using domains that actually exist, so that the
mail would be much less likely to be rejected.

-- 
    Viktor.

More information about the dns-operations mailing list