--- Begin Message ---
Moritz,
I can't explain the TXT queries, but the NS queries seem to be Google's method
of doing qname minimization, with an added nonce value. See
https://indico.dns-oarc.net/event/39/contributions/864/ and
https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes
DW
> On Oct 7, 2021, at 4:50 AM, Moritz Müller via dns-operations
> <[email protected]> wrote:
>
>
> From: Moritz Müller <[email protected]>
> Subject: Lot's of TXT queries from Google
> Date: October 7, 2021 at 4:50:21 AM PDT
> To: <[email protected]>
>
>
> Hi,
>
> For the second time in a few weeks we noticed a significant increase in
> queries for NS and TXT records at our .nl name servers, originating almost
> exclusively from the Public DNS resolvers of Google
> Did someone else noticed something similar or has an explanation?
>
> In comparison to beginning of September, the number of NS queries increased 2
> fold and the number of TXT queries almost 6 fold.
> At some point, 25% of all queries to our name servers for .nl where for TXT
> record.
>
> The resolvers query either for a domain name following the pattern
> _dmarc.foo.nl or default._domainkey.foo.nl.
> Where foo is a random string, 12 characters long.
>
> Examples are:
> _dmarc.mdvlxtagogij.nl.
> default._domainkey.vppj4svmbclt.nl.
>
> The queried second level domain names are not registered and queries for the
> same domain name are repeated 3 to 5 times.
> At some point, 80% of all TXT queries from google had these patterns, 36% of
> all queries from Google resolvers.
>
> The queries started ramping up around 2021-09-05 and reached their peak at
> 2021-09-18. They never reached a concerning level, but we first noticed them
> because our machine processing the incoming PCAP files couldn’t cope anymore.
>
> We assume that this is likely not an attack but some tests/measurements,
> which got a bit out of hand. But since we don’t see the origin of the queries
> behind the Google resolvers, we’re not sure to whom to reach out.
>
> —
> Moritz
>
> —
> SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
> T +31 (0)26 352 55 00
> [email protected] | www.sidn.nl
> pgp key: https://pgp.mit.edu/pks/lookup?op=get&search=0x0AF8922B1659B448
>
>
>
> Caution: This email originated from outside the organization. Do not click
> links or open attachments unless you recognize the sender and know the
> content is safe.
>
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://secure-web.cisco.com/1j0tUWdtkXBzH95d3NJuJ85PVsyNQjXNWdO32ER-v_iT_UjT59vzGAmM02xy_33dtoTHStrRux8cAZ5IJLBUBd0AnsjCN0CSNyR6a3HYO9F4zJlt7_KL2YK4NW13MBo9xJN5dqR6R0rKlERPBOlMfhxmZBw7tIJHwfTHN6lsPwpxyH2XxqTPH9HQTFkJ9A84Bq6Uhc9MQjU-TlN6ef9LLrCbsG7abZ9xqHMbBQLToaQcMLkmMTLbepYwv1EZH_Bn7UZUhfEVyND7-IIZxugF3ow/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
