Strange DNS Queries - Request Packets/Logs
We have received some strange DNS traffic sample Type A query that isn't your typical DNS format. The DNS query has some fields that do change are marked with a X (see DNS query pattern). Other format/pattern may exist since the capture was based on a very short capture. We are trying to establish what this traffic maybe doing, whether it is a messed up DNS resolver, some sort of command and control or covert channel.
If you have seen this type of DNS query with this kind of behavior, we would like to hear from you.
Update 1:
Handler Bojan wrote a diary last year about Google Chrome DNS prefetching [1], however, the DNS samples submitted to ISC (XXXXXXaaaaXXX0000pjaaaabaafaejam) don't match the format described in Bojan's diary.
However, I have found another example that is similar to our sample except it is only 10-char long vs 32-char [2]. So far, the only plausible explanation it might be DNS prefetching.
32-bit DNS Query Pattern
XXXXXXaaaaXXX0000pjaaaabaafaejam
Sample Queries
omchikaaaaerd0000pjaaaabaafaejam: type A, class IN
ibjegdaaaaerd0000pjaaaabaafaejam: type A, class IN
ehjjafaaaaesx0000pjaaaabaafaejam: type A, class IN
dlegnhaaaaern0000pjaaaabaafaejam: type A, class IN
cfdnnoaaaaern0000pjaaaabaafaejam: type A, class IN
[1] http://isc.sans.edu/diary.html?storyid=10312
[2] https://sites.google.com/a/chromium.org/dev/developers/design-documents/dns-prefetching
[3] http://serverfault.com/questions/235307/unusual-head-requests-to-nonsense-urls-from-chrome
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
New Generic Top-Level Domains (gTLDs) out for Sale
Yesterday ICANN started accepting applications for new generic top-level domains (gTLDs). "The world of .com, .gov, .org and 19 other gTLDs will soon be expanded to include all types of words in many different languages. For the first time generic TLDs can include words in non-Latin languages, such as Cyrillic, Chinese or Arabic." [1]
Last month, the US Federal Trade Commission indicated it has concerns with this change, they are concerned that consumer protection safeguard against bad actors that could lead to potential risk of abuse through existing scams such as phishing sites. [2]
Do you see these changes have a potential for concern and abuse or just business as usual?
[1] http://www.icann.org/en/announcements/announcement-11jan12-en.htm
[2] http://www.ftc.gov/os/closings/publicltrs/111216letter-to-icann.pdf
[3] http://newgtlds.icann.org/en/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago