dns requests for odd domain names like mAiL.myDOmAIn.De

Question

I have turned on logging in named. About 2% of all requests contain an odd mix of uppercase and lowercase domain, like

Jan  7 10:38:46 s1500 named[27917]: client ip address#34084: query: mAIl.MYdoMain.de IN A - (my ip address)
Jan  7 10:39:40 s1500 named[27917]: client ip address#53023: query: MAil.mYdoMAIn.De IN A - (my ip address)
Jan  7 12:10:07 s1500 named[27917]: client ip address#53576: query: SErver25.mydomAiN.De IN A - (my ip address)

The upper-/lowercase mix changes even if requested from the same client, some requests are just seconds apart. Most requests seem to originate from local (german) DSL providers.

Can someone explain what is going on here? I have no idea why anyone would randomize the domain name capitalization, or which security problem the attacker wants to take advantage of.

Could be a way to bypass some IDS/IPSes. – gparent Jan 08 '13 at 18:36 — gparent, Jan 08 '13 at 18:36

score 8 · Accepted Answer · edited Oct 07 '21 at 07:18

8

They/their clients might be using a DNS implementation which uses 0x20-bit encoding (which helps preventing DNS forgery).
This basically adds more entropy to DNS requests, an attacker now has to guess query ID, source port and query name in the proper case to successfully forge the response.

See https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

edited Oct 07 '21 at 07:18

Community

1

answered Jan 08 '13 at 18:53

faker

17,496
2
60
70

dns requests for odd domain names like mAiL.myDOmAIn.De

1 Answers1