Random nx name queries, anyone see this before?

Alan Clegg Alan_Clegg at isc.org
Tue Dec 16 14:20:47 UTC 2008

Frank Behrens wrote:
> ponga2112 at gmail.com <ponga2112 at gmail.com> wrote on 15 Dec 2008 16:34:
>> I'd be very interested in what others find. I do have an update and
>> correction to my original post:
>> The format is 9chars.8chars - as an example:
>> qjnqrtfun.wxsifmgj
>> Sometimes a colon appears, so the char list seems to be [a-z:]
>> Also, I was wrong about the FQDN - they do appear in named/bind logs -
>> so whatever app it is, the suffix search order is being used. My
>> apologies for the incorrect info the first time.

I had never seen any suffixes on the ones that I captured in the past
(note that I first noticed this in March of 2008 and I don't see any of
the odd traffic at the moment).

>> Thre are a couple clients that do this - so thanks for the tip AlanC,
>> I will look for a pattern. Other than that, I'm stumped. Thanks for
>> any hints provided!!

Look for patterns in the source UDP port -- also the timing of the
queries was rather interesting, with some of the queries actually
matching even when the sources of the requests were on different subnets
and on machines that were owned by different organizations.

> Is it possible that a bot net tries to connect?
> http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118
> I don't want to make a panic, it's an idea only...

I had originally thought the same thing, but I can't see how it would be

The problem with that theory is that the queries would only make it from
the infected machine to the upstream resolver, and then to the root and
an NXDOMAIN response would be elicited.

07-Mar-2008 02:01:31.516 queries: info: client A#1067: query:
4wmn1f4:t.g5u97dc9 IN A +
07-Mar-2008 02:03:11.317 queries: info: client B#42637: query:
9ra4hmm9s.u5j87tb6 IN A +
07-Mar-2008 02:03:23.049 queries: info: client C#1031: query:
gxmikjfn4.v5w70um3 IN A +
07-Mar-2008 02:03:31.558 queries: info: client A#1067: query:
8m2zdm:4c.k3u86uf1 IN A +
07-Mar-2008 02:05:11.501 queries: info: client B#42638: query:
fug8xatrs.w7m65zq4 IN A +
07-Mar-2008 02:05:23.112 queries: info: client C#1031: query:
ek3hfaui:.t2o91ir1 IN A +


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20081216/ba18838a/attachment.bin>

More information about the bind-users mailing list