Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message ---
>
> I think this falls in the category of unusual but non-critical traffic
> spikes. Unless there is a pattern here to suggest future risk it is
> not worthwhile to investigate further.
Fair enough. We will keep an eye on it and will let you know if traffic becomes
more worrisome.
>
> This is another case where NSEC3 opt-out interferes with effective
> NSEC{3} response caching which would reduce queries to the TLD.
>
Good point. This is still something that we’re debating internally.
—
Moritz
signature.asc
Description: Message signed with OpenPGP
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message ---
On Fri, Oct 8, 2021 at 3:42 AM Moritz Müller via dns-operations
wrote:
>
>
>
>
> -- Forwarded message --
> From: "Moritz Müller"
> To: "Blacka, David via dns-operations"
> Cc:
> Bcc:
> Date: Fri, 8 Oct 2021 09:37:34 +0200
> Subject: Re: [dns-operations] Lot's of TXT queries from Google
> Thank you for trying to help out folks!
>
> > On 7 Oct 2021, at 16:56, Viktor Dukhovni wrote:
> >
> > I wonder whether this is an attempt to collect the NSEC3 chain for an
> > off-line dictionary attack? 12 character random names are long enough
> > to sample the space very well, though shorter strings would also do.
>
> That sounds possible, but doesn’t explain the _dmarc/default labels, right?
>
> @puneet
> Would that be worth further exploring on your side?
> At some point, we received 16264 qps of those type of queries at one site.
I think this falls in the category of unusual but non-critical traffic
spikes. Unless there is a pattern here to suggest future risk it is
not worthwhile to investigate further.
This is another case where NSEC3 opt-out interferes with effective
NSEC{3} response caching which would reduce queries to the TLD.
-Puneet
>
> —
> Moritz
>
>
>
>
> -- Forwarded message --
> From: "Moritz Müller via dns-operations"
> To: "Blacka, David via dns-operations"
> Cc:
> Bcc:
> Date: Fri, 8 Oct 2021 09:37:34 +0200
> Subject: Re: [dns-operations] Lot's of TXT queries from Google
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
On Fri, Oct 08, 2021 at 09:37:34AM +0200, Moritz Müller via dns-operations wrote: > > I wonder whether this is an attempt to collect the NSEC3 chain for an > > off-line dictionary attack? 12 character random names are long enough > > to sample the space very well, though shorter strings would also do. > > That sounds possible, but doesn’t explain the _dmarc/default labels, right? Indeed the choice of labels is unexplained, a straightforward NSEC3 hash scan would perhaps use just random 2LDs and QTYPE = A. I can't think of why a high volume unsolicited mail batch would use DKIM signatures with random non-existent origin domains, rather than simplky leave the signatures out. I don't know of any advantages to adding such DKIM signatures (DKIM signatures that can't be checked and absent DKIM signatures are supposed to be equivalent). -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message --- Thank you for trying to help out folks! > On 7 Oct 2021, at 16:56, Viktor Dukhovni wrote: > > I wonder whether this is an attempt to collect the NSEC3 chain for an > off-line dictionary attack? 12 character random names are long enough > to sample the space very well, though shorter strings would also do. That sounds possible, but doesn’t explain the _dmarc/default labels, right? @puneet Would that be worth further exploring on your side? At some point, we received 16264 qps of those type of queries at one site. — Moritz signature.asc Description: Message signed with OpenPGP --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message --- On Thu, Oct 7, 2021 at 11:22 AM Viktor Dukhovni wrote: > > On Thu, Oct 07, 2021 at 02:53:36PM +, Wessels, Duane via dns-operations > wrote: > > > I can't explain the TXT queries, but the NS queries seem to be > > Google's method of doing qname minimization, with an added nonce > > value. See https://indico.dns-oarc.net/event/39/contributions/864/ > > and > > https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes > > The odd thing is though that queries with Google's nonce labels to .NL > would be expected to have the appended label after some desired 2LD: > > nonce.extant-2ld.nl > > I would not expect Google to append 2LD rather than 3LD nonces in > queries to the .NL auth servers, those elicit NXDOMAIN, rather than the > desired nonce-salted referrals. Correct. These are not nonce prefixes appended by GPDNS. Also we are mostly querying for NS records when nonce prefixes are used. Given the RR types being queried, this is likely to be what Matt Nordhoff mentioned above. On a related note, the queries you mention send more than two labels to the NL nameservers. This happens in some scenarios with our qname minimization implementation. We are making some changes which should reduce the labels in the query to just two (plus an optional nonce) in almost all cases. -Puneet > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message --- On Thu, Oct 7, 2021 at 11:22 AM Viktor Dukhovni wrote: > > On Thu, Oct 07, 2021 at 02:53:36PM +, Wessels, Duane via dns-operations > wrote: > > > I can't explain the TXT queries, but the NS queries seem to be > > Google's method of doing qname minimization, with an added nonce > > value. See https://indico.dns-oarc.net/event/39/contributions/864/ > > and > > https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes > > The odd thing is though that queries with Google's nonce labels to .NL > would be expected to have the appended label after some desired 2LD: > > nonce.extant-2ld.nl > > I would not expect Google to append 2LD rather than 3LD nonces in > queries to the .NL auth servers, those elicit NXDOMAIN, rather than the > desired nonce-salted referrals. Correct. These are not nonce prefixes appended by GPDNS. Also we are mostly querying for NS records when nonce prefixes are used. Given the RR types being queried, this is likely to be what Matt Nordhoff mentioned above. On a related note, the queries you mention send more than two labels to the NL nameservers. This happens in some scenarios with our qname minimization implementation. We are making some changes which should reduce the labels in the query to just two (plus an optional nonce) in almost all cases. -Puneet > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
On Thu, Oct 07, 2021 at 02:53:36PM +, Wessels, Duane via dns-operations wrote: > I can't explain the TXT queries, but the NS queries seem to be > Google's method of doing qname minimization, with an added nonce > value. See https://indico.dns-oarc.net/event/39/contributions/864/ > and > https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes The odd thing is though that queries with Google's nonce labels to .NL would be expected to have the appended label after some desired 2LD: nonce.extant-2ld.nl I would not expect Google to append 2LD rather than 3LD nonces in queries to the .NL auth servers, those elicit NXDOMAIN, rather than the desired nonce-salted referrals. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
On Thu, Oct 07, 2021 at 01:50:21PM +0200, Moritz Müller via dns-operations wrote: > For the second time in a few weeks we noticed a significant increase > in queries for NS and TXT records at our .nl name servers, originating > almost exclusively from the Public DNS resolvers of Google Did someone > else noticed something similar or has an explanation? Well, FWIW, it is not my DNSSEC/DANE survey. I don't query for TXT records, and if the traffic came from me, you'd see roughly equal query volumes from Google and Cloudflare, the queries would be primarily for the DS and NS records of extant signed domains. > In comparison to beginning of September, the number of NS queries > increased 2 fold and the number of TXT queries almost 6 fold. At some > point, 25% of all queries to our name servers for .nl where for TXT > record. > > The resolvers query either for a domain name following the pattern > _dmarc.foo.nl or default._domainkey.foo.nl. Where foo is a random > string, 12 characters long. Rapid7's project sonar collects various TXT records, but again I'd expect mostly extant names, with a variety of qname lengths. > Examples are: > _dmarc.mdvlxtagogij.nl. > default._domainkey.vppj4svmbclt.nl. > > The queried second level domain names are not registered and queries > for the same domain name are repeated 3 to 5 times. At some point, > 80% of all TXT queries from google had these patterns, 36% of all > queries from Google resolvers. I wonder whether this is an attempt to collect the NSEC3 chain for an off-line dictionary attack? 12 character random names are long enough to sample the space very well, though shorter strings would also do. > We assume that this is likely not an attack but some > tests/measurements, which got a bit out of hand. But since we don’t > see the origin of the queries behind the Google resolvers, we’re not > sure to whom to reach out. Also seems plausible. If spammers were trying to send from "random" domains, they'd likely be using domains that actually exist, so that the mail would be much less likely to be rejected. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
--- Begin Message --- Moritz, I can't explain the TXT queries, but the NS queries seem to be Google's method of doing qname minimization, with an added nonce value. See https://indico.dns-oarc.net/event/39/contributions/864/ and https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes DW > On Oct 7, 2021, at 4:50 AM, Moritz Müller via dns-operations > wrote: > > > From: Moritz Müller > Subject: Lot's of TXT queries from Google > Date: October 7, 2021 at 4:50:21 AM PDT > To: > > > Hi, > > For the second time in a few weeks we noticed a significant increase in > queries for NS and TXT records at our .nl name servers, originating almost > exclusively from the Public DNS resolvers of Google > Did someone else noticed something similar or has an explanation? > > In comparison to beginning of September, the number of NS queries increased 2 > fold and the number of TXT queries almost 6 fold. > At some point, 25% of all queries to our name servers for .nl where for TXT > record. > > The resolvers query either for a domain name following the pattern > _dmarc.foo.nl or default._domainkey.foo.nl. > Where foo is a random string, 12 characters long. > > Examples are: > _dmarc.mdvlxtagogij.nl. > default._domainkey.vppj4svmbclt.nl. > > The queried second level domain names are not registered and queries for the > same domain name are repeated 3 to 5 times. > At some point, 80% of all TXT queries from google had these patterns, 36% of > all queries from Google resolvers. > > The queries started ramping up around 2021-09-05 and reached their peak at > 2021-09-18. They never reached a concerning level, but we first noticed them > because our machine processing the incoming PCAP files couldn’t cope anymore. > > We assume that this is likely not an attack but some tests/measurements, > which got a bit out of hand. But since we don’t see the origin of the queries > behind the Google resolvers, we’re not sure to whom to reach out. > > — > Moritz > > — > SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM > T +31 (0)26 352 55 00 > moritz.mul...@sidn.nl | www.sidn.nl > pgp key: https://pgp.mit.edu/pks/lookup?op=get=0x0AF8922B1659B448 > > > > Caution: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://secure-web.cisco.com/1j0tUWdtkXBzH95d3NJuJ85PVsyNQjXNWdO32ER-v_iT_UjT59vzGAmM02xy_33dtoTHStrRux8cAZ5IJLBUBd0AnsjCN0CSNyR6a3HYO9F4zJlt7_KL2YK4NW13MBo9xJN5dqR6R0rKlERPBOlMfhxmZBw7tIJHwfTHN6lsPwpxyH2XxqTPH9HQTFkJ9A84Bq6Uhc9MQjU-TlN6ef9LLrCbsG7abZ9xqHMbBQLToaQcMLkmMTLbepYwv1EZH_Bn7UZUhfEVyND7-IIZxugF3ow/https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations smime.p7s Description: S/MIME cryptographic signature --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
Hi, just guessing maybe its related to https://developers.google.com/speed/public-dns/docs/security?hl=en#nonce_prefixes cheers, -arsen * Moritz Müller [2021-10-07 13:50 (+0200)]: Hi, For the second time in a few weeks we noticed a significant increase in queries for NS and TXT records at our .nl name servers, originating almost exclusively from the Public DNS resolvers of Google Did someone else noticed something similar or has an explanation? In comparison to beginning of September, the number of NS queries increased 2 fold and the number of TXT queries almost 6 fold. At some point, 25% of all queries to our name servers for .nl where for TXT record. The resolvers query either for a domain name following the pattern _dmarc.foo.nl or default._domainkey.foo.nl. Where foo is a random string, 12 characters long. Examples are: _dmarc.mdvlxtagogij.nl. default._domainkey.vppj4svmbclt.nl. The queried second level domain names are not registered and queries for the same domain name are repeated 3 to 5 times. At some point, 80% of all TXT queries from google had these patterns, 36% of all queries from Google resolvers. The queries started ramping up around 2021-09-05 and reached their peak at 2021-09-18. They never reached a concerning level, but we first noticed them because our machine processing the incoming PCAP files couldn’t cope anymore. We assume that this is likely not an attack but some tests/measurements, which got a bit out of hand. But since we don’t see the origin of the queries behind the Google resolvers, we’re not sure to whom to reach out. — Moritz — SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM T +31 (0)26 352 55 00 moritz.mul...@sidn.nl | www.sidn.nl pgp key: https://pgp.mit.edu/pks/lookup?op=get=0x0AF8922B1659B448 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Lot's of TXT queries from Google
On Thu, Oct 7, 2021 at 11:53 AM Moritz Müller via dns-operations wrote: > Hi, > > For the second time in a few weeks we noticed a significant increase in > queries for NS and TXT records at our .nl name servers, originating almost > exclusively from the Public DNS resolvers of Google > Did someone else noticed something similar or has an explanation? > > In comparison to beginning of September, the number of NS queries increased 2 > fold and the number of TXT queries almost 6 fold. > At some point, 25% of all queries to our name servers for .nl where for TXT > record. > > The resolvers query either for a domain name following the pattern > _dmarc.foo.nl or default._domainkey.foo.nl. > Where foo is a random string, 12 characters long. > > Examples are: > _dmarc.mdvlxtagogij.nl. > default._domainkey.vppj4svmbclt.nl. > > The queried second level domain names are not registered and queries for the > same domain name are repeated 3 to 5 times. > At some point, 80% of all TXT queries from google had these patterns, 36% of > all queries from Google resolvers. > > The queries started ramping up around 2021-09-05 and reached their peak at > 2021-09-18. They never reached a concerning level, but we first noticed them > because our machine processing the incoming PCAP files couldn’t cope anymore. > > We assume that this is likely not an attack but some tests/measurements, > which got a bit out of hand. But since we don’t see the origin of the queries > behind the Google resolvers, we’re not sure to whom to reach out. From another perspective, I own some domains in a different ccTLD, and they get a constant low volume of similar DNS queries, and daily DMARC reports from major mail providers showing that spam is being sent from spoofed random subdomains of my domains. It's mostly died down over the last week. Maybe the spammers switched to .nl? -- Matt Nordhoff ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
