Hi Frederik "Fredrik Pettai via Ns.se" <ns.se@lists.iis.se> writes:
On 20 Dec 2024, at 08:02, Jacob Bunk Nielsen via Ns.se <ns.se@lists.iis.se> wrote:
Do you see any pattern in queries being made that could give you a hint about what is going on? E.g. is it towards zones hosted in your DNS servers?
We don’t log queries by default, we only log all issues/errors and policy decisions.
We log a small statistical sample of queries to be able to investigate what we get a lot of. If you can live with the privacy implications, I can highly recommend this for later investigation.
Which kind of records are they looking for? Are there any patterns in the names they query for?
Real names & words in the zone or subdomain(s) of the zone, as far as we could see from our manual checks. And the name server stats didn't show any broken / illegal queries either.
Seems like a standard pseudo-random subdomain attack to me.
Since we don’t log queries (for privacy reasons), we can only guess they were updating a catalog of free domain names. Perhaps this is more of an issue for TLDs? Only we haven’t seen this before…
They would only hit your name servers for domains that are delegated to your servers, right? So looking up stuff like example.sunet.se would only really be useful as part of some form of attack, I believe. We see these sort of attacks regularly. Best regards, Jacob