Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: For the people running authoritative DNS servers
3 points by LinuxBender 68 days ago | hide | past | favorite
For those that log DNS traffic specifically with tcpdump, are you seeing an unusually high number of spoofed answers, vs queries for all the DNS registrar domains, DNS providers and long nonsensical 36 character apex+tld domains? This will not show up in native query logs as it's not hitting port 53, but rather acting as if I am making the request.

Obviously this does not hurt my servers as they just silently drop it but it looks like someone is getting ready to do something to all the DNS registrars and big DNS providers including but not limited to Cloudflare, Name dot com, Afraid dot org, AWS DNS, Porkbun, nic dot uk, Nether dot net, ofpenguins dot net.

Adding to the oddity, all the traffic makes it look like I am making the request and each of those registrars and DNS providers are answering it like as if they are trying to poison cache but my server is authoritative, not recursive. The spoofed "answers" will never reach my DNS daemon. There is no cache and they should be able to easily see it is not a recursive server. There are a good deal of bogus RRSIG/NSEC3 "answers". My server just ignores it obviously and it is harmless. I am only asking to see if others are suddenly getting this traffic. It just "feels" like someone is getting ready to do "something" on a big scale. A gut feeling so to speak. I have monitored DNS traffic daily for over 26 years and have not seen this particular pattern.

To look for this:

    tcpdump -p --dont-verify-checksums -i any -NNnnvvv -s0 -B16384 -c65536 not host 127.0.0.1 and port 53
[Edit:] Whatever is going on, they stopped hitting my server but I suspect others may start seeing this. I have no idea how many DNS providers and registrars passively log DNS traffic.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: