On Sun, 13 Feb 2022 05:38:21 +0000 "Mark Delany" <[email protected]> wrote:
> I recently built a toy server to experiment with configless ipv6 > reverse answers and a side-effect is that I scrutinized all the > queries for an extended period. Big mistake! No, it can be quite revealing in fact. We essentially do this at Dataplane.org. Shameless plug, I referred to some of this activity in our recent newsletter. Some of which you can see the top 10 graphs: <https://dataplane.substack.com/p/dns-and-ipv6-signals> > Apart from the incessant, apparent DDOS to ANY/pizzaseo.com, > ANY/peacecorps.gov and the like thrown at all port 53 ipv4 addresses, > there is also the inexplicable and also incessant ANY/sl. queries. > What they do or who they are meant to hurt, I have no clue. I believe those are all attempts at amplification/reflection DDoS attacks too. I've talked about this briefly elsewhere, but have not done a full analysis. In a nutshell, even though many of the names might not even respond positively, they are still seemingly used as if they will reflect and amplify. I've verified a number of them recently with DDoS alerts I see at my day job (NETSCOUT). In fact, some of the queries you will find all over the address space, even where there are no port 53 listeners. I can only venture a guess the reasons. It may be that the attackers performing the activity have crummy DNS server lists or don't care. > 24/day A/cb00780e.asert-dns-research.com This one I can take some of the blame for. We are actively undergoing some work to improve how we survey the Internet for port 53 services. I can't promise we'll get it perfect, but we are aware it is suboptimal and I have been advocating for surveying slower and smarter. I'll pass on this thread to our group so they're aware that people like you notice. > Speaking of qname minimization, hoy boy, do they generate a lot of > extra queries in the ipv6 reverse tree! I do wonder what secrets are > being kept safe by not telling a parent name server what lower level > PTR someone is after, but I'm sure there's good justification for it. I see lots of qname minimization generally, but haven't really paid much attention the ip6.arpa queries, but thanks for pointing it out. I'll try to keep an eye on it. > Not that it's a lot of traffic and I know there is zero I can do > about it, but I'm down to 30% of queries actually returning an > answer, with >50% returning qmin NOERRORs and the rest REFUSED. Not that it justifies anything, but Internet DNS noise has a long history. However, in my experience, the actual volume of traffic is still quite small outside of the actual attack traffic aimed at victims. It is still largely the percentage of "goodput" to "badput" remains noticeably and obviously skewed. Personally I don't worry too much about the noise, but some low-bandwidth or low-power environments can understandably tire of it. I share your rant, but am at least trying to make some lemonade out of it. There is a lot of interesting Internet behavior we learn about by examining it. John _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
