[dns-operations] Lot's of TXT queries from Google

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Oct 8 17:00:46 UTC 2021


On Fri, Oct 08, 2021 at 09:37:34AM +0200, Moritz Müller via dns-operations wrote:

> > I wonder whether this is an attempt to collect the NSEC3 chain for an
> > off-line dictionary attack?  12 character random names are long enough
> > to sample the space very well, though shorter strings would also do.
> 
> That sounds possible, but doesn’t explain the _dmarc/default labels, right?

Indeed the choice of labels is unexplained, a straightforward NSEC3 hash
scan would perhaps use just random 2LDs and QTYPE = A.

I can't think of why a high volume unsolicited mail batch would use DKIM
signatures with random non-existent origin domains, rather than simplky
leave the signatures out.  I don't know of any advantages to adding such
DKIM signatures (DKIM signatures that can't be checked and absent DKIM
signatures are supposed to be equivalent).

-- 
    Viktor.



More information about the dns-operations mailing list