Peculiar DNS queries
Lars Kollstedt
lk at man-da.de
Sun Dec 22 22:36:46 UTC 2019
On Sunday, December 22th 2019, 18:28:48 CET schrieb Paul Kosinski via bind-
users:
> Every so often, we get a run of peculiar queries to our (BIND / named)
> DNS server. Note the apparently random mix of lower case and upper case
> letters in the domain names.
>
> Does anybody have any idea why somebody would be doing this? (It's
> legal, I guess, but quite non-standard.)
>
> Dec 22 12:05:43 iment0 named[10333]: client 134.0.217.68#20012
> (Www.IMent.coM): query: Www.IMent.coM IN AAAA -E (216.55.100.246)
[...]
On Sunday, December 22th 2019, 18:41:27 CET schrieb Gaurav Kansal via bind-
users:
> This is a “spoofing resistance” technique.
> For more info, check “0x20 Bit Encoding”.
Hello Paul,
for more information about this see
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
and
https://indico.dns-oarc.net/event/20/contributions/265/attachments/254/471/
ISC-case-sensitivity.pdf
I at first wondered about this, too. ;-)
But it's a technology to add addition entropy to the DNS communication (to
prevent cache poisoning based on spoofed answers), especially for the case the
authoritative Server doesn't support DNS Cookies.
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: lk at man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
More information about the bind-users
mailing list