--- Begin Message ---
Hi,
For the second time in a few weeks we noticed a significant increase in queries
for NS and TXT records at our .nl name servers, originating almost exclusively
from the Public DNS resolvers of Google
Did someone else noticed something similar or has an explanation?
In comparison to beginning of September, the number of NS queries increased 2
fold and the number of TXT queries almost 6 fold.
At some point, 25% of all queries to our name servers for .nl where for TXT
record.
The resolvers query either for a domain name following the pattern
_dmarc.foo.nl or default._domainkey.foo.nl.
Where foo is a random string, 12 characters long.
Examples are:
_dmarc.mdvlxtagogij.nl.
default._domainkey.vppj4svmbclt.nl.
The queried second level domain names are not registered and queries for the
same domain name are repeated 3 to 5 times.
At some point, 80% of all TXT queries from google had these patterns, 36% of
all queries from Google resolvers.
The queries started ramping up around 2021-09-05 and reached their peak at
2021-09-18. They never reached a concerning level, but we first noticed them
because our machine processing the incoming PCAP files couldn’t cope anymore.
We assume that this is likely not an attack but some tests/measurements, which
got a bit out of hand. But since we don’t see the origin of the queries behind
the Google resolvers, we’re not sure to whom to reach out.
—
Moritz
—
SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 00
[email protected] | www.sidn.nl
pgp key: https://pgp.mit.edu/pks/lookup?op=get&search=0x0AF8922B1659B448
signature.asc
Description: Message signed with OpenPGP
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
