On 01. 01. 23 20:22, Olafur Gudmundsson wrote:
Andreas,
Do not bother to reach out to anyone these are unmanaged automated systems.
I once ran an experiment where query names were unique (i.e. only used once and
derived from the IP address the query was sent to)
I was still receiving “repeat queries” a year later.
The queries came from “cloud compute” instances that had nothing to do with the
original query.
Some of they queries came to the address that “sent" the query but others
followed the delegation information for the domain
The interesting fact was how periodic those queries were ==> this was generated
by cron jobs by someone doing something DNS related …
+1 to what Olafur said.
It might very well be *me* doing automated PCAP replays in AWS, or
anyone else doing DNS research, or some sort of QA on DNS software. And
of course, malware.
I guess blog post
https://blog.apnic.net/2016/04/04/dns-zombies/
might give you some insight - at least you are not alone :-)
Petr Špaček
Internet Systems Consortium
Olafur
On Dec 21, 2022, at 9:27 PM, Andreas Ott <[email protected]> wrote:
About two months ago we retired a network lab at my work by disconnecting it
from the internet, and at the time I (naively) removed from the lab domain name
all forward DNS records pointing to assets that no longer exist. When it was
still live we had forward DNS and reverse PTR records, and in most cases these
matched, further, you were most likely to get back consistent answers on
forward lookup of the reverse answer. About a week after the closure I also had
the reverse DNS records removed from the ISP servers that were authoritative
for the in-addr.arpa zones. All caching timeouts would have long occurred by
now if an entity would honor what had been in the SOA records. If I query any
old records today they do return NXDOMAIN for me.
I did move the authoritative DNS servers to a much smaller setup thinking with the retirement of the assets
there would be less traffic asking for them. However I am still seeing significant traffic querying forward
records of PTR answers that got deleted a long time ago. It appears that this is "measurement"
traffic that ignores getting "no" aka. NXDOMAIN as an answer, and keeps insisting to send the same
queries over and over. I identified one "DNS labs" entity by name as one of the sources of these
queries and will attempt to contact them. Most of the other now useless queries come from anonymous cloud
compute based sources, like AWS nodes, which have generic reverse DNS entries and don't allow identifying the
responsible party. To me it looks like the case of something being removed from the internet for good is not
accounted for when constructing the measurement operations, if you get NXDOMAIN you interpret it as it must
be some kind of brokenness and should be back soon, so you keep asking thousands more times until you get an
answer?
What are my best options to find out who is behind all this traffic when it
comes from anonymous sources?
For how long should I expect this query traffic to continue?
Or is there a way to politely signal to the queries by any DNS parameters that
the record is now gone for good and they can stop asking, and not something is
broken that will be fixed soon?
Thanks, andreas
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
