[dns-operations] Resolvers seeing repeated bursts of identical queries

Mon Jan 9 18:32:00 UTC 2023

Coming from the spam filtering side of my job...  I wonder if they could be part of a filter resolving URLS (based on queries for www.<something> during a burst of identical emails being sent.

Do you know what is at two IP addresses? (no PTR records for them)

--
William Brown
WNYRIC/Erie 1 BOCES

-----Original Message-----
From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of sthaug at nethelp.no
Sent: Monday, January 9, 2023 3:50 AM
To: dns-operations at lists.dns-oarc.net
Subject: [dns-operations] Resolvers seeing repeated bursts of identical queries

******** This email originated from outside of the organization. Use caution when replying, opening attachment(s), and/or clicking on URL's. ********

We are receiving a significant amount of query bursts on our resolvers with the following characteristics:

- A client IP doing a burst of queries for the same name repeatedly, very quickly.
- The query is typically an A query.
- A burst often has 50 - 100 queries for the same name within a few milliseconds.
- All the queries within one burst have the same DNS query ID (but different IP id and source port number).
- The same client IP producing such bursts of identical queries also sends regular queries (one query per name, DNS query IDs vary).

Example of (part of) query burst - in this case the client sends bursts of 84 queries within less than 1 ms:

09:24:56.593259 IP 194.19.79.131.58089 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593283 IP 194.19.79.131.38426 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593307 IP 194.19.79.131.56931 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593346 IP 194.19.79.131.42976 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593350 IP 194.19.79.131.11638 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)
09:24:56.593366 IP 194.19.79.131.22476 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38) ...
09:24:56.594364 IP 194.19.79.131.41548 > 193.75.75.193.53: 24781+ A? www.jointraining.com. (38)

followed by another burst of 84 queries in around 1.1 ms:

09:24:56.594416 IP 194.19.79.131.38426 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594475 IP 194.19.79.131.42976 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594501 IP 194.19.79.131.58089 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594560 IP 194.19.79.131.14419 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594561 IP 194.19.79.131.56931 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)
09:24:56.594562 IP 194.19.79.131.18576 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34) ...
09:24:56.595596 IP 194.19.79.131.41232 > 193.75.75.193.53: 28221+ A? www.facebook.com. (34)

I *suspect* the bursts and the regular queries are actually produced by different clients on the inside of a firewall with NAT - but note I don't *know* this is the case.

Does anybody know of software / applications that would produce such query bursts? Note that I don't believe the query bursts are caused by
L2 loops or similar, because

- These problems have lasted for weeks
- And they occur for several different (unrelated) customers

Steinar Haug, AS2116
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.