(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

Miscellaneous public code

A PHP API client for Reddit

I don't tweet much

XMPP chat
(Pidgin, Miranda, Swift, etc.)

Perfect is the enemy of good enough.

Strange DNS queries: qname "miep", qtype ANY

Posted May 03, 2019 by shaun

One of my DNS servers has been seeing some unusual bursts of traffic over the past month. At random intervals, several hundred rapid queries for qname miep and qtype ANY will arrive, appearing in BIND's security log like this:

03-May-2019 16:05:18.430 security: info: client @0x7f392c0bcfe0 (miep): query (cache) 'miep/ANY/IN' denied
03-May-2019 16:05:18.430 security: info: client @0x7f392c0bcfe0 (miep): query (cache) 'miep/ANY/IN' denied
03-May-2019 16:05:18.430 security: info: client @0x7f392c0cb600 (miep): query (cache) 'miep/ANY/IN' denied
03-May-2019 16:05:18.430 security: info: client @0x7f392c0bcfe0 (miep): query (cache) 'miep/ANY/IN' denied

At first glance, this resembles a DNS amplification attack. For one thing, the deprecated ANY qtype is used in such attacks to maximize the size of the answer packets. Secondly, the origin IPs are probably forged, considering the legitimate resolver has been among them. Trouble is, there's no such zone as miep, so there's nothing to amplify here (and my servers wouldn't answer that query, regardless). If this is supposed to be part of a DDoS, it looks like an abject failure.

Some other observations about this traffic:

  • I run several authoritative DNS servers, but only one is seeing this traffic
  • The resolver being queried is not and has never been an open recursive resolver
  • I can only find one other report of this behavior
  • The questioned traffic is increasing, both in query volume and in the number of origins (targets)
  • Most of the IPs involved are Netherlands-based VPSes or residential broadband connections

I've posted a log of observed queries (~2.4 MB) as of 2019-08-17.

I'm used to DNS recon noise as bots scan the world for open resolvers, but this traffic is just weird. If you have any idea what's responsible for it, please reply to this tweet.

Recent articles

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from

▲ Back to top | Permalink to this page