[nSLUG] [OT] Re: Numerous probes seen as bogus DNS "replies"

Mike Spencer mspencer at tallships.ca
Thu Jul 3 23:26:39 ADT 2014

Robert McKay <robert at mckay.com> wrote:

> The random hostname lookups look like a bailiwick DNS attack against a 
> recursive dns server.

Ha! "Bailiwick" is the key word I needed to find an explanation.  I
get it now.  Thank you, Rob.

For others that share my ignorance and my curiosity, there's a very
clear, detailed explanation with nice diagrams here:


> ...for this to work it would have to be targeting a recursor on
> your IP...

According to the above-mentioned explanation,

     + Attacker sends query for impossible-bogus-host.real-domain.com

     + to target DNS server and simultaneously

     + floods target with forged replies attempting to impersonate the
       authoritative nameserver for real-domain.com

so the actual answer to the initial query doesn't matter -- it's
always going to be a failure of some kind anyhow. Since the reply
doesn't matter, the src address of the original query can be anything.

So when I see:

01:49:39 IP >  29810 ServFail 0/0/0 (53)

that contains a (copy of the original) query for:


I infer that [unknown IP] has sent a query to in the hopes
of highjacking authority for the dongdongwg.com domain. The attacker
never wants to see the actual reply and so sticks random  (or
possibly strategically chosen) addresses into the IP src field of the

So, is somebody furiously trying to highjack authority status for
numerous Chinese domains on hundreds of name servers?  Interesting.

Thanks all,
- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list