Strange DNS Queries - Request Packets/Logs
We have received some strange DNS traffic sample Type A query that isn't your typical DNS format. The DNS query has some fields that do change are marked with a X (see DNS query pattern). Other format/pattern may exist since the capture was based on a very short capture. We are trying to establish what this traffic maybe doing, whether it is a messed up DNS resolver, some sort of command and control or covert channel.
If you have seen this type of DNS query with this kind of behavior, we would like to hear from you.
Update 1:
Handler Bojan wrote a diary last year about Google Chrome DNS prefetching [1], however, the DNS samples submitted to ISC (XXXXXXaaaaXXX0000pjaaaabaafaejam) don't match the format described in Bojan's diary.
However, I have found another example that is similar to our sample except it is only 10-char long vs 32-char [2]. So far, the only plausible explanation it might be DNS prefetching.
32-bit DNS Query Pattern
XXXXXXaaaaXXX0000pjaaaabaafaejam
Sample Queries
omchikaaaaerd0000pjaaaabaafaejam: type A, class IN
ibjegdaaaaerd0000pjaaaabaafaejam: type A, class IN
ehjjafaaaaesx0000pjaaaabaafaejam: type A, class IN
dlegnhaaaaern0000pjaaaabaafaejam: type A, class IN
cfdnnoaaaaern0000pjaaaabaafaejam: type A, class IN
[1] http://isc.sans.edu/diary.html?storyid=10312
[2] https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
[3] http://serverfault.com/questions/235307/unusual-head-requests-to-nonsense-urls-from-chrome
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
Al of Your Data Center
Jan 13th 2012
1 decade ago
Jan@skenbart
Jan 14th 2012
1 decade ago
Netop
Jan 14th 2012
1 decade ago
NetopMake
Jan 14th 2012
1 decade ago
Log example:
14-Jan-2012 00:36:15.346 queries: client 74.125.92.82#64997: query: aiokhhaacaldu0000cpabaaaaaabangb.www.ip-solutions.se IN A -E
If these are Google Chrome queries, the the Chrome clients are within the Google network.
Jan@skenbart
Jan 14th 2012
1 decade ago
http://support.google.com/a/bin/answer.py?hl=en&answer=183895
but Google's DNS verification of domain ownership for apps usually uses TXT records not A / AAAA records, unless Google is testing some new verification method...
another reason might be that there's a badly configured DNSSEC option somewhere...
A.
Jan 15th 2012
1 decade ago
EOIT
Jan 16th 2012
1 decade ago
anon
Jan 19th 2012
1 decade ago