Strange DNS Queries - Request Packets/Logs

Published: 2012-01-13. Last Updated: 2012-01-15 13:51:25 UTC
by Guy Bruneau (Version: 2)

We have received some strange DNS traffic sample Type A query that isn't your typical DNS format. The DNS query has some fields that do change are marked with a X (see DNS query pattern). Other format/pattern may exist since the capture was based on a very short capture. We are trying to establish what this traffic maybe doing, whether it is a messed up DNS resolver, some sort of command and control or covert channel.

If you have seen this type of DNS query with this kind of behavior, we would like to hear from you.

Update 1:

Handler Bojan wrote a diary last year about Google Chrome DNS prefetching [1], however, the DNS samples submitted to ISC (XXXXXXaaaaXXX0000pjaaaabaafaejam) don't match the format described in Bojan's diary.

However, I have found another example that is similar to our sample except it is only 10-char long vs 32-char [2]. So far, the only plausible explanation it might be DNS prefetching.

32-bit DNS Query Pattern

XXXXXXaaaaXXX0000pjaaaabaafaejam

Sample Queries

omchikaaaaerd0000pjaaaabaafaejam: type A, class IN
ibjegdaaaaerd0000pjaaaabaafaejam: type A, class IN
ehjjafaaaaesx0000pjaaaabaafaejam: type A, class IN
dlegnhaaaaern0000pjaaaabaafaejam: type A, class IN
cfdnnoaaaaern0000pjaaaabaafaejam: type A, class IN

[1] http://isc.sans.edu/diary.html?storyid=10312
[2] https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
[3] http://serverfault.com/questions/235307/unusual-head-requests-to-nonsense-urls-from-chrome

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: DNS Type A

8 comment(s)

Sysinternals Updates - http://blogs.technet.com/b/sysinternals/archive/2012/01/13/updates-autoruns-v11-21-coreinfo-v3-03-portmon-v-3-03-process-explorer-v15-12-mark-s-blog-and-mark-at-rsa-2012.aspx

New Generic Top-Level Domains (gTLDs) out for Sale

Published: 2012-01-13. Last Updated: 2012-01-13 15:44:20 UTC
by Guy Bruneau (Version: 1)

0 comment(s)

Yesterday ICANN started accepting applications for new generic top-level domains (gTLDs). "The world of .com, .gov, .org and 19 other gTLDs will soon be expanded to include all types of words in many different languages. For the first time generic TLDs can include words in non-Latin languages, such as Cyrillic, Chinese or Arabic." [1]

Last month, the US Federal Trade Commission indicated it has concerns with this change, they are concerned that consumer protection safeguard against bad actors that could lead to potential risk of abuse through existing scams such as phishing sites. [2]

Do you see these changes have a potential for concern and abuse or just business as usual?

[1] http://www.icann.org/en/announcements/announcement-11jan12-en.htm
[2] http://www.ftc.gov/os/closings/publicltrs/111216letter-to-icann.pdf
[3] http://newgtlds.icann.org/en/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: gTDL

0 comment(s)

January 2012 OUCH! released - This month we focus on how to secure home Wi-Fi networks, now in German also! http://bit.ly/ja6TMH

ISC StormCast for Friday, January 13th 2012 http://isc.sans.edu/podcastdetail.html?id=2254