[dns-operations] You live in a dump, Quoyle!
John Kristoff
jtk at dataplane.org
Sun Feb 13 14:29:41 UTC 2022
On Sun, 13 Feb 2022 05:38:21 +0000
"Mark Delany" <b9w at charlie.emu.st> wrote:
> I recently built a toy server to experiment with configless ipv6
> reverse answers and a side-effect is that I scrutinized all the
> queries for an extended period. Big mistake!
No, it can be quite revealing in fact. We essentially do this at
Dataplane.org. Shameless plug, I referred to some of this activity in
our recent newsletter. Some of which you can see the top 10 graphs:
<https://dataplane.substack.com/p/dns-and-ipv6-signals>
> Apart from the incessant, apparent DDOS to ANY/pizzaseo.com,
> ANY/peacecorps.gov and the like thrown at all port 53 ipv4 addresses,
> there is also the inexplicable and also incessant ANY/sl. queries.
> What they do or who they are meant to hurt, I have no clue.
I believe those are all attempts at amplification/reflection DDoS
attacks too. I've talked about this briefly elsewhere, but have not
done a full analysis. In a nutshell, even though many of the names
might not even respond positively, they are still seemingly used as if
they will reflect and amplify. I've verified a number of them recently
with DDoS alerts I see at my day job (NETSCOUT). In fact, some of the
queries you will find all over the address space, even where there are
no port 53 listeners.
I can only venture a guess the reasons. It may be that the attackers
performing the activity have crummy DNS server lists or don't care.
> 24/day A/cb00780e.asert-dns-research.com
This one I can take some of the blame for. We are actively undergoing
some work to improve how we survey the Internet for port 53 services.
I can't promise we'll get it perfect, but we are aware it is suboptimal
and I have been advocating for surveying slower and smarter. I'll pass
on this thread to our group so they're aware that people like you
notice.
> Speaking of qname minimization, hoy boy, do they generate a lot of
> extra queries in the ipv6 reverse tree! I do wonder what secrets are
> being kept safe by not telling a parent name server what lower level
> PTR someone is after, but I'm sure there's good justification for it.
I see lots of qname minimization generally, but haven't really paid
much attention the ip6.arpa queries, but thanks for pointing it out.
I'll try to keep an eye on it.
> Not that it's a lot of traffic and I know there is zero I can do
> about it, but I'm down to 30% of queries actually returning an
> answer, with >50% returning qmin NOERRORs and the rest REFUSED.
Not that it justifies anything, but Internet DNS noise has a long
history. However, in my experience, the actual volume of traffic is
still quite small outside of the actual attack traffic aimed at
victims. It is still largely the percentage of "goodput" to "badput"
remains noticeably and obviously skewed. Personally I don't worry too
much about the noise, but some low-bandwidth or low-power environments
can understandably tire of it. I share your rant, but am at least
trying to make some lemonade out of it. There is a lot of interesting
Internet behavior we learn about by examining it.
John
More information about the dns-operations
mailing list