[dns-operations] Lot's of TXT queries from Google
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Oct 8 17:00:46 UTC 2021
On Fri, Oct 08, 2021 at 09:37:34AM +0200, Moritz Müller via dns-operations wrote:
> > I wonder whether this is an attempt to collect the NSEC3 chain for an
> > off-line dictionary attack? 12 character random names are long enough
> > to sample the space very well, though shorter strings would also do.
>
> That sounds possible, but doesn’t explain the _dmarc/default labels, right?
Indeed the choice of labels is unexplained, a straightforward NSEC3 hash
scan would perhaps use just random 2LDs and QTYPE = A.
I can't think of why a high volume unsolicited mail batch would use DKIM
signatures with random non-existent origin domains, rather than simplky
leave the signatures out. I don't know of any advantages to adding such
DKIM signatures (DKIM signatures that can't be checked and absent DKIM
signatures are supposed to be equivalent).
--
Viktor.
More information about the dns-operations
mailing list