Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Strange DNS Queries - Request Packets/Logs - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange DNS Queries - Request Packets/Logs

We have received some strange DNS traffic sample Type A query that isn't your typical DNS format. The DNS query has some fields that do change are marked with a X (see DNS query pattern). Other format/pattern may exist since the capture was based on a very short capture. We are trying to establish what this traffic maybe doing, whether it is a messed up DNS resolver, some sort of command and control or covert channel.

If you have seen this type of DNS query with this kind of behavior, we would like to hear from you.

DNS Query Pattern

XXXXXXaaaaXXX0000pjaaaabaafaejam

Sample Queries

omchikaaaaerd0000pjaaaabaafaejam: type A, class IN
ibjegdaaaaerd0000pjaaaabaafaejam: type A, class IN
ehjjafaaaaesx0000pjaaaabaafaejam: type A, class IN
dlegnhaaaaern0000pjaaaabaafaejam: type A, class IN
cfdnnoaaaaern0000pjaaaabaafaejam: type A, class IN

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

411 Posts
ISC Handler
Looks like a botched IPv6 query of sorts.
Al of Your Data Center

80 Posts Posts
I had three of these today, all coming from IP addresses registered to Google.
JanS

10 Posts Posts
Make sure these are google chrome DBS queries. Chrome will prefetch DNS and then do random DNS queries to verify the results aren't tampered with. See http://www.google.com/support/forum/p/Chrome/thread?tid=6df1207e9c52410a&hl=en
Anonymous

Posts
DNS not DBS. Autocorrect fail. Aren't not are. Human fail.
Anonymous

Posts
Just to clarify; the queries were sent to our nameserver from clients using IP's registered to Google.
Log example:
14-Jan-2012 00:36:15.346 queries: client 74.125.92.82#64997: query: aiokhhaacaldu0000cpabaaaaaabangb.www.ip-solutions.se IN A -E
If these are Google Chrome queries, the the Chrome clients are within the Google network.
JanS

10 Posts Posts
might be some sort of dns verification for some Google apps services
http://support.google.com/a/bin/answer.py?hl=en&answer=183895

but Google's DNS verification of domain ownership for apps usually uses TXT records not A / AAAA records, unless Google is testing some new verification method...

another reason might be that there's a badly configured DNSSEC option somewhere...
Anonymouse

11 Posts Posts
Since DNSSEC was mentioned.. didn't Comcast roll out DNSSEC this week to residential customers?
Anonymous

Posts
Could possibly be a query from someone running dnsenum (https://code.google.com/p/dnsenum/) or similar tool. It does a wildcard check to look for a *.domain entry, the default test is "pseudorandabcdefuvwxyz0123456789". It doesn't match the pattern, but it matches the length.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!