Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unsolicited DNS Queries

Published: 2021-07-31
Last Updated: 2021-07-31 12:38:25 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

This week I started seeing more DNS related activity being identified by Threatintel and that got me curious. While reviewing my logs, I noticed that Wednesday and Thursday had an unusual spike for many inbound unsolicited DNS queries for the domain

Wednesday and Thursday, in a period of 24 hours, a total of 1606 queries was received for domain The two IPs (1335 requests) was the first set of inbound DNS queries followed by IP (271 requests). IP also sent 272 requests for domain yesterday. DNS amplification attack?

There used to be a time when seeing unsolicited queries to identify vulnerable DNS Bind version was very common. A review of my logs for the month of July contained many other domains including various combination of VERSION.BIND (upper/lower case). This is the top 15 DNS questions asked for this month with the top Threatintel associated with the IPs asking the query:

Indicators - Top 10 IPs ->, sl ->,, sl -> VERSION.BIND, sl

Have you noticed an increase in unsolicited DNS queries?


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

3 comment(s)
Diary Archives