Peculiar DNS queries

Lars Kollstedt lk at man-da.de
Sun Dec 22 22:36:46 UTC 2019


On Sunday, December 22th 2019, 18:28:48 CET schrieb Paul Kosinski via bind-
users:
> Every so often, we get a run of peculiar queries to our (BIND / named)
> DNS server. Note the apparently random mix of lower case and upper case
> letters in the domain names.
> 
> Does anybody have any idea why somebody would be doing this? (It's
> legal, I guess, but quite non-standard.)
> 
> Dec 22 12:05:43 iment0 named[10333]: client 134.0.217.68#20012
> (Www.IMent.coM): query: Www.IMent.coM IN AAAA -E (216.55.100.246)
[...]

On Sunday, December 22th 2019, 18:41:27 CET schrieb Gaurav Kansal via bind-
users:
> This is a “spoofing resistance” technique.
> For more info, check “0x20 Bit Encoding”.



Hello Paul,

for more information about this see

https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

and

https://indico.dns-oarc.net/event/20/contributions/265/attachments/254/471/
ISC-case-sensitivity.pdf

I at first wondered about this, too. ;-)

But it's a technology to add addition entropy to the DNS communication (to 
prevent cache poisoning based on spoofed answers), especially for the case the 
authoritative Server doesn't support DNS Cookies.

Kind regards,
	Lars

-- 
Lars Kollstedt

Telefon: +49 6151 16-71027
E-Mail:  lk at man-da.de

man-da.de GmbH
Dolivostraße 11
64293 Darmstadt

Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert




More information about the bind-users mailing list