[dns-operations] random queries
Matt Nordhoff
lists at mn0.us
Sat Mar 15 14:29:44 UTC 2025
On Sat, Mar 15, 2025 at 11:14 AM Hans Mayer via dns-operations
<dns-operations at dns-oarc.net> wrote:
> Dear All,
>
> I saw in the past increased queries for random names. For example from this IP 60.26.63.253
> It comes in about half minute intervals and doesn't make sense for me at all. I find it over weeks in the logs.
> Any ideas for what this should be useful ?
>
> Kind regards
> Hans
>
> --
>
> 177 11:43:09.503477 0.000000 60.26.63.253 60004 53 DNS 89 Standard query 0x39f0 A l4cc6ckm.2ye1143rogpsck7o.ghl
> 178 11:43:19.450370 9.946893 60.26.63.253 60003 53 DNS 78 Standard query 0x34ed A 40jq6gahddxnwh8.hg
> 315 11:44:25.713049 66.262679 60.26.63.253 60003 53 DNS 76 Standard query 0x18d3 A afcm5cqrrl8k.czp
> 428 11:46:01.910455 96.197406 60.26.63.253 60003 53 DNS 91 Standard query 0x0bba A zwz35moj6cdv8o.lbghtnt1el3z.b16
> 499 11:46:36.170071 34.259616 60.26.63.253 60001 53 DNS 74 Standard query 0xec33 A eky8x.na7ly.bl
I can say +1, I've been receiving the same traffic, it's not just you,
but I don't have anything more helpful to add.
I run US NTP Pool servers -- which receive some abuse and a lot of
weird traffic -- and authoritative DNS servers. At first this traffic
seemed like it might only be hitting NTP IPs, but now it seems to be
hitting other IPs too. Yay. :-(
The "source" IP has changed a few times but I think it's always within
60.26.0.0/16. Right now it's 60.26.67.97.
Since it could be a reflection/amplification attack with spoofed
source addresses, that might be the victim rather than anyone
responsible.
--
Matt Nordhoff
More information about the dns-operations
mailing list