Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Unsolicited DNS Queries - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unsolicited DNS Queries

This week I started seeing more DNS related activity being identified by Threatintel and that got me curious. While reviewing my logs, I noticed that Wednesday and Thursday had an unusual spike for many inbound unsolicited DNS queries for the domain

Wednesday and Thursday, in a period of 24 hours, a total of 1606 queries was received for domain The two IPs (1335 requests) was the first set of inbound DNS queries followed by IP (271 requests). IP also sent 272 requests for domain yesterday. DNS amplification attack?

There used to be a time when seeing unsolicited queries to identify vulnerable DNS Bind version was very common. A review of my logs for the month of July contained many other domains including various combination of VERSION.BIND (upper/lower case). This is the top 15 DNS questions asked for this month with the top Threatintel associated with the IPs asking the query:

Indicators - Top 10 IPs ->, sl ->,, sl -> VERSION.BIND, sl

Have you noticed an increase in unsolicited DNS queries?


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


522 Posts
ISC Handler
Jul 31st 2021
Spike ? Yes

multi homed, during July one side picked up: 260044
other targets 979

the other side: 289920
other targets 3346

this does not count duplicate / message repeated log entries

typical month would see counts around 2000
We are seeing >500K requests for from a number of IP addresses for past 7 days. Around 1.8M since 14 July when these requests started coming in large numbers

Only around 3700 requests for past 7 days
I experienced several times the normal number of DNS queries over about 24 hours ending on July 31st. This was followed by a short burst of queries about 3 times the prior rate. Peak rate recorded by Munin was 151 A record queries and 11 TXT record queries per second. Normal rates are less than 1 query per second. Looking back at historical data the peak was 172 for the month and 741 for the year. The latest event lasted much longer than prior events.

3 Posts

Sign Up for Free or Log In to start participating in the conversation!