Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Strange DNS Queries - Request Packets/Logs SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange DNS Queries - Request Packets/Logs

We have received some strange DNS traffic sample Type A query that isn't your typical DNS format. The DNS query has some fields that do change are marked with a X (see DNS query pattern). Other format/pattern may exist since the capture was based on a very short capture. We are trying to establish what this traffic maybe doing, whether it is a messed up DNS resolver, some sort of command and control or covert channel.

If you have seen this type of DNS query with this kind of behavior, we would like to hear from you.

DNS Query Pattern


Sample Queries

omchikaaaaerd0000pjaaaabaafaejam: type A, class IN
ibjegdaaaaerd0000pjaaaabaafaejam: type A, class IN
ehjjafaaaaesx0000pjaaaabaafaejam: type A, class IN
dlegnhaaaaern0000pjaaaabaafaejam: type A, class IN
cfdnnoaaaaern0000pjaaaabaafaejam: type A, class IN


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


508 Posts
ISC Handler
Jan 13th 2012
Looks like a botched IPv6 query of sorts.
Al of Your Data Center

80 Posts
I had three of these today, all coming from IP addresses registered to Google.

10 Posts
Make sure these are google chrome DBS queries. Chrome will prefetch DNS and then do random DNS queries to verify the results aren't tampered with. See
3 Posts
DNS not DBS. Autocorrect fail. Aren't not are. Human fail.
3 Posts
Just to clarify; the queries were sent to our nameserver from clients using IP's registered to Google.
Log example:
14-Jan-2012 00:36:15.346 queries: client query: IN A -E
If these are Google Chrome queries, the the Chrome clients are within the Google network.

10 Posts
might be some sort of dns verification for some Google apps services

but Google's DNS verification of domain ownership for apps usually uses TXT records not A / AAAA records, unless Google is testing some new verification method...

another reason might be that there's a badly configured DNSSEC option somewhere...

12 Posts
Since DNSSEC was mentioned.. didn't Comcast roll out DNSSEC this week to residential customers?
4 Posts
Could possibly be a query from someone running dnsenum ( or similar tool. It does a wildcard check to look for a *.domain entry, the default test is "pseudorandabcdefuvwxyz0123456789". It doesn't match the pattern, but it matches the length.
1 Posts

Sign Up for Free or Log In to start participating in the conversation!