0

In working with Bind DNS servers, which are not open resolvers and do not perform recursive queries, I see a great mumber of incoming DNS query requests, that are denied or refused, that focus on domain names that list the DNS servers as being authoritative for the domains being queried, but are no longer configured with any zones for the domains. These domains are attributable to third parties who have moved their domains, and years later have never updated the listed DNS servers at their registrar. Why do these apparent DDoS UDP attacks focus on non-configured domains or zones? I haven't measured the network traffic to see if there is some type of amplification occurring, but there is a definite focus on non-configured zones.

MRodriguez
  • 99
  • 3
  • This may not be an attack, per se, but more like a probe to try and find resolvers that do provide recursive lookups an that may be vulnerable to other forms of exploitation. – Thomas N Dec 09 '16 at 16:07
  • 2
    Bots pull down root server and zone data over a long period of time and hold on to that data for a long time. I still get queries for domains I havent had for 15 years. I also get MX queries for records I havent had for over a decade. That's why I have about 50 domains with bogus MX records that rotate to random names hourly. To answer your question, unless you are seeing gb/s of traffic, it isn't an attack. Its poorly designed and managed bots. – Aaron Dec 09 '16 at 16:50
  • Yes "random qname attacks" exists. see https://indico.dns-oarc.net/event/21/contributions/283/attachments/268/488/OARC_Everyday_Attacks_final.pdf for example – Patrick Mevzek Sep 17 '19 at 02:43

1 Answers1

1

We've seen similar questions from users who acquire IP space that were previously used for DNS servers. Suffice it to say that you don't even have to be listening on port 53, if your IP has ever held a DNS listener in the past (authoritative or recursive) you are going to be seeing stale queries for domains that your IP is not authoritative for.

Just ignore the stale traffic. If you need reassurance that you aren't being successfully leveraged in an attack, look at your ratio of sent to received traffic. If your average outbound traffic is more than double your input traffic, something is probably going on.

Andrew B
  • 32,588
  • 12
  • 93
  • 131