Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: abnormal DNS queries mostly from AWS - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
abnormal DNS queries mostly from AWS
>The "-EDC" query type/flags (what is that?) appears unique to these queries only

- or + if recursion is requested
E if EDSN0 is enabled
D if DNSSEC is requested
C if checking disabled flag is set

Look for BIND querylog flags for more info
Ph

4 Posts
Are they just querying for example.net over and over or are your logs hiding the actual results?

Might be a DNS amplification attack. Or a poor attempt at a DOS.

My suggestion is to blackhole all of AWS traffic. Nothing but crap out of there anyways.
Darron Wyke

15 Posts
yes agree Anonymous

i got also many times msg from mine dedicated server provider this is due to copyrighted material also can you let me know your website content about what Anonymous

It's the same record over and over again, a reverse lookup of an IP (my NTP server), then a lookup of all of my name servers. The "-EDC" signature is rarely seen otherwise, just this traffic.

It's not clear the objective or purpose of this behavior. Maybe a bad image with a rouge script?
It's not really a DoS, but because my secondary DNS is hosted in the cloud... I am paying for these useless queries. This single record, then the 6 name server lookups, account for more than 300% of all of my other DNS queries, combined! But it's a fairly fixed/sustained rate (for months now, it did start in mid Nov 2016 and took a month to ramp up to current levels: hence my hypothesis about some image that got spun up), and easily handled by the servers.

I don't admin the secondary/slave DNS servers, so my options seem limited. AWS appears to care less.

My domain is just a personal web site... has my resume, not much else. No content. But the host in question was a NTP server in pool.ntp.org. I have since removed my server, with no effect to these queries.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!