I run a resolver in the form of a FreeBSD jail running unbound. It gets upstream resolution from my NextDNS account.
There is no access control - if you can guess the IP address you can submit DNS requests. Whatever. No issues for 2.5 years.
Yesterday, out of nowhere, I started getting ~20 lookup requests per second from a very broad range of IPs, almost all in Brazil. Every request was for cloudflare.com.
Not subdomain.cloudflare.com or blah.blah.cloudflare.com - just TLD cloudflare.com.
Most of these IP addresses reverse resolved to some.thing.com.br. For instance:
45.169.84.30-7lan.com.br.
... and it was entire /16 blocks full of IPs, from one or two .br ISPs, hammering me for "cloudflare.com".
So ...
I inserted this line into unbound.conf:
local-zone: "cloudflare.com" always_nxdomain
... which I assumed would break things and get someones attention ... and I also put in 10-12 ipfw blocks for entire /16 blocks to blackhole the traffic.
Today, on October 4, this traffic has ceased.
However, I find it very interesting to learn that there was a cloudflare name resolution outage yesterday and I wonder if, and how, these are connected.
Two theories:
1. A botnet operating out of Brazil discovered my anonymous resolver and used it in their client configuration and they phone home over some cloudflare tunnel or whatever but they couldn't perform the cloudflare.com lookup so they just kept retrying ?
Was it not possible to resolve "cloudflare.com" during the outage ?
2. Some lazy .com.br admin used my resolver as secondary DNS for residential end users and maybe 1.1.1.1 as the primary but ... the primary went away and ... ? Doesn't really explain why they only lookup ever performed was for "cloudflare.com".
... or maybe just a weird coincidence ?
