[dns-operations] Destination-adjacent source address spoofed DNS queries

Matt Nordhoff lists at mn0.us
Wed Mar 6 01:23:38 UTC 2024


On Tue, Mar 5, 2024 at 2:24 PM John Kristoff <jtk at dataplane.org> wrote:
> This seems DNS operationally relevant and I hope no one will mind the
> plug. It was fun to write up a small piece on some curious spoofed DNS
> queries we observed. Something that probably would have been overlooked
> otherwise.  We could probably do this 24x7.  :-)
>
> <https://open.substack.com/pub/dataplane/p/destination-adjacent-source-address>
>
> John

That's a fascinating development. I hope we learn more. I like reading
DNS research but I don't always like reading the logs researchers
generate. :-D

(Never read your DNS logs, you don't want to know. ;-)

For what it's worth, I saw something similar -- but distinctly
different -- in 2021-2022 using the domain dnsdrakkarv6.com. They'd
send two similar queries, one from a real-looking IP, and the other
spoofed with my IP + 1. For example (very edited and redacted):

2021-03-22 IP6 2001:db8::2.1234 > 2001:db8::1.53: 5678+ A? xXXxXX.[38
decimal digits].s67.vp1.v6.dnsdrakkarv6.com. (91)
2021-03-22 IP6 2001:912:800:212::61.1234 > 2001:db8::1.53: 5678+ A?
xXXxXX.[38 decimal digits].n67.vp1.v6.dnsdrakkarv6.com. (91)

2022-02-24 IP6 2001:db8:0:2::.1234 >
2001:db8:0:1:ffff:ffff:ffff:ffff.53: 5678+ A? xxXxXx.[38 decimal
digits].s128.vp2.v6.dnsdrakkarv6.com. (92)
2022-02-24 IP6 2a10:a080:1100:1000::1.1234 >
2001:db8:0:1:ffff:ffff:ffff:ffff.53: 5678+ A? xxXxXx.[38 decimal
digits].n128.vp2.v6.dnsdrakkarv6.com. (92)
-- 
Matt Nordhoff



More information about the dns-operations mailing list