dns requests for odd domain names like mAiL.myDOmAIn.De

I have turned on logging in named. About 2% of all requests contain an odd mix of uppercase and lowercase domain, like

Jan  7 10:38:46 s1500 named[27917]: client ip address#34084: query: mAIl.MYdoMain.de IN A - (my ip address)
Jan  7 10:39:40 s1500 named[27917]: client ip address#53023: query: MAil.mYdoMAIn.De IN A - (my ip address)
Jan  7 12:10:07 s1500 named[27917]: client ip address#53576: query: SErver25.mydomAiN.De IN A - (my ip address)

The upper-/lowercase mix changes even if requested from the same client, some requests are just seconds apart. Most requests seem to originate from local (german) DSL providers.

Can someone explain what is going on here? I have no idea why anyone would randomize the domain name capitalization, or which security problem the attacker wants to take advantage of.


They/their clients might be using a DNS implementation which uses 0x20-bit encoding (which helps preventing DNS forgery).
This basically adds more entropy to DNS requests, an attacker now has to guess query ID, source port and query name in the proper case to successfully forge the response.

See https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00