dns requests for odd domain names like mAiL.myDOmAIn.De

domain-name-system bind

I have turned on logging in named. About 2% of all requests contain an odd mix of uppercase and lowercase domain, like

Jan  7 10:38:46 s1500 named[27917]: client ip address#34084: query: mAIl.MYdoMain.de IN A - (my ip address)
Jan  7 10:39:40 s1500 named[27917]: client ip address#53023: query: MAil.mYdoMAIn.De IN A - (my ip address)
Jan  7 12:10:07 s1500 named[27917]: client ip address#53576: query: SErver25.mydomAiN.De IN A - (my ip address)

The upper-/lowercase mix changes even if requested from the same client, some requests are just seconds apart. Most requests seem to originate from local (german) DSL providers.

Can someone explain what is going on here? I have no idea why anyone would randomize the domain name capitalization, or which security problem the attacker wants to take advantage of.


They/their clients might be using a DNS implementation which uses 0x20-bit encoding (which helps preventing DNS forgery).
This basically adds more entropy to DNS requests, an attacker now has to guess query ID, source port and query name in the proper case to successfully forge the response.

See https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00

Related

Optimizing VPS Server Memory
What Linux command do I type to see my MySQL server load in real time?
Why does host swap out VMs when there are 16GB of buffer cache and swappiness = 0? [duplicate]
Scheduling a Task for every minute in Windows 2012
Will kerberos work with CNAMEs if I have the SPN created for the A record as well?
ProxyChains is redirecting packets destined to local machine to the proxy server
How to combine two Active Directory domains [closed]
iis 7 application pools not starting after installing ibm client access
sudo /etc/init.d/postgresql restart (how to chose which installation?)
vsftpd: refusing to run with writable root inside chroot
backup and restoration of a freeipa infrastructure
Puppet&Hiera: $variable is not an hash or array when accessing it