[dns-operations] random queries

Matt Nordhoff lists at mn0.us
Sat Mar 15 14:29:44 UTC 2025


On Sat, Mar 15, 2025 at 11:14 AM Hans Mayer via dns-operations
<dns-operations at dns-oarc.net> wrote:
> Dear All,
>
> I saw in the past increased queries for random names. For example from this IP 60.26.63.253
> It comes in about half minute intervals and doesn't make sense for me at all. I find it over weeks in the logs.
> Any ideas for what this should be useful ?
>
> Kind regards
> Hans
>
> --
>
> 177     11:43:09.503477 0.000000        60.26.63.253    60004  53      DNS     89      Standard query 0x39f0 A l4cc6ckm.2ye1143rogpsck7o.ghl
> 178     11:43:19.450370 9.946893        60.26.63.253    60003  53      DNS     78      Standard query 0x34ed A 40jq6gahddxnwh8.hg
> 315     11:44:25.713049 66.262679       60.26.63.253    60003  53      DNS     76      Standard query 0x18d3 A afcm5cqrrl8k.czp
> 428     11:46:01.910455 96.197406       60.26.63.253    60003  53      DNS     91      Standard query 0x0bba A zwz35moj6cdv8o.lbghtnt1el3z.b16
> 499     11:46:36.170071 34.259616       60.26.63.253    60001  53      DNS     74      Standard query 0xec33 A eky8x.na7ly.bl

I can say +1, I've been receiving the same traffic, it's not just you,
but I don't have anything more helpful to add.

I run US NTP Pool servers -- which receive some abuse and a lot of
weird traffic -- and authoritative DNS servers. At first this traffic
seemed like it might only be hitting NTP IPs, but now it seems to be
hitting other IPs too. Yay. :-(

The "source" IP has changed a few times but I think it's always within
60.26.0.0/16. Right now it's 60.26.67.97.

Since it could be a reflection/amplification attack with spoofed
source addresses, that might be the victim rather than anyone
responsible.
-- 
Matt Nordhoff



More information about the dns-operations mailing list