[dns-operations] DNS measurement traffic etiquette

Mon Jan 2 16:36:56 UTC 2023

On 01. 01. 23 20:22, Olafur Gudmundsson wrote:
> 
> Andreas,
> Do not bother to reach out to anyone these are unmanaged automated systems.
> I once ran an experiment where query names were unique (i.e. only used once and derived from the IP address the query was sent to)
> I was still receiving “repeat queries” a year later.
> The queries came from “cloud compute” instances that had nothing to do with the original query.
> Some of they queries came to the address that “sent" the query but others followed the delegation information for the domain
> 
> The interesting fact was how periodic those queries were ==> this was generated by cron jobs by someone doing something DNS related …

+1 to what Olafur said.

It might very well be *me* doing automated PCAP replays in AWS, or 
anyone else doing DNS research, or some sort of QA on DNS software. And 
of course, malware.

I guess blog post
https://blog.apnic.net/2016/04/04/dns-zombies/
might give you some insight - at least you are not alone :-)

Petr Špaček
Internet Systems Consortium

> 
> Olafur
> 
> 
> 
> 
>> On Dec 21, 2022, at 9:27 PM, Andreas Ott <andreas at naund.org> wrote:
>>
>> About two months ago we retired a network lab at my work by disconnecting it from the internet, and at the time I (naively) removed from the lab domain name all forward DNS records pointing to assets that no longer exist. When it was still live we had forward DNS and reverse PTR records, and in most cases these matched, further, you were most likely to get back consistent answers on forward lookup of the reverse answer. About a week after the closure I also had the reverse DNS records removed from the ISP servers that were authoritative for the in-addr.arpa zones. All caching timeouts would have long occurred by now if an entity would honor what had been in the SOA records. If I query any old records today they do return NXDOMAIN for me.
>>
>> I did move the authoritative DNS servers to a much smaller setup thinking with the retirement of the assets there would be less traffic asking for them. However I am still seeing significant traffic querying forward records of PTR answers that got deleted a long time ago. It appears that this is "measurement" traffic that ignores getting "no" aka. NXDOMAIN as an answer, and keeps insisting to send the same queries over and over. I identified one "DNS labs" entity by name as one of the sources of these queries and will attempt to contact them. Most of the other now useless queries come from anonymous cloud compute based sources, like AWS nodes, which have generic reverse DNS entries and don't allow identifying the responsible party. To me it looks like the case of something being removed from the internet for good is not accounted for when constructing the measurement operations, if you get NXDOMAIN you interpret it as it must be some kind of brokenness and should be back soon, so you keep asking thousands more times until you get an answer?
>>
>> What are my best options to find out who is behind all this traffic when it comes from anonymous sources?
>>
>> For how long should I expect this query traffic to continue?
>>
>> Or is there a way to politely signal to the queries by any DNS parameters that the record is now gone for good and they can stop asking, and not something is broken that will be fixed soon?
>>
>> Thanks, andreas