[dns-operations] random queries
John Kristoff
jtk at dataplane.org
Sat Mar 15 15:09:22 UTC 2025
On Sat, 15 Mar 2025 12:12:17 +0100
Hans Mayer via dns-operations <dns-operations at dns-oarc.net> wrote:
> I saw in the past increased queries for random names. For example
> from this IP 60.26.63.253
We (Dataplane.org) have been seeing this as well. It currently shows up
in our signal feed here:
<https://dataplane.org/signals/dnsrd.txt>
> Any ideas for what this should be useful ?
Not off the top of my head. It does not appear to be a real resolver,
in the sense that it is probably just some stateless scanner. Always
UDP, rd is set, source port is usually of a limited range (e.g., 60001 -
60004). If they are looking for DNS responses, maybe it is looking for a
referral as opposed to negative responses for the purposes of finding
some amplification? Or just inventorying destinations that return a
well-formed DNS response?
John
More information about the dns-operations
mailing list