[dns-operations] Lot's of TXT queries from Google

[Puneet Sood]

On Fri, Oct 8, 2021 at 3:42 AM Moritz Müller via dns-operations
<dns-operations at dns-oarc.net> wrote:
>
>
>
>
> ---------- Forwarded message ----------
> From: "Moritz Müller" <moritz.muller at sidn.nl>
> To: "Blacka, David via dns-operations" <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 8 Oct 2021 09:37:34 +0200
> Subject: Re: [dns-operations] Lot's of TXT queries from Google
> Thank you for trying to help out folks!
>
> > On 7 Oct 2021, at 16:56, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > I wonder whether this is an attempt to collect the NSEC3 chain for an
> > off-line dictionary attack?  12 character random names are long enough
> > to sample the space very well, though shorter strings would also do.
>
> That sounds possible, but doesn’t explain the _dmarc/default labels, right?
>
> @puneet
> Would that be worth further exploring on your side?
> At some point, we received 16264 qps of those type of queries at one site.

I think this falls in the category of unusual but non-critical traffic
spikes. Unless there is a pattern here to suggest future risk it is
not worthwhile to investigate further.

This is another case where NSEC3 opt-out interferes with effective
NSEC{3} response caching which would reduce queries to the TLD.

-Puneet

>
> —
> Moritz
>
>
>
>
> ---------- Forwarded message ----------
> From: "Moritz Müller via dns-operations" <dns-operations at dns-oarc.net>
> To: "Blacka, David via dns-operations" <dns-operations at dns-oarc.net>
> Cc:
> Bcc:
> Date: Fri, 8 Oct 2021 09:37:34 +0200
> Subject: Re: [dns-operations] Lot's of TXT queries from Google
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations