This week I started seeing more DNS related activity being identified by Threatintel and that got me curious. While reviewing my logs, I noticed that Wednesday and Thursday had an unusual spike for many inbound unsolicited DNS queries for the domain census.gov.
Wednesday and Thursday, in a period of 24 hours, a total of 1606 queries was received for domain census.gov. The two IPs 18.104.22.168 (1335 requests) was the first set of inbound DNS queries followed by IP 22.214.171.124 (271 requests). IP 126.96.36.199 also sent 272 requests for domain pizzaseo.com yesterday. DNS amplification attack?
There used to be a time when seeing unsolicited queries to identify vulnerable DNS Bind version was very common. A review of my logs for the month of July contained many other domains including various combination of VERSION.BIND (upper/lower case). This is the top 15 DNS questions asked for this month with the top Threatintel associated with the IPs asking the query:
Indicators – Top 10 IPs
188.8.131.52 -> census.gov, sl
184.108.40.206 -> census.gov, pizzaseo.com, sl
220.127.116.11 -> VERSION.BIND, sl
Have you noticed an increase in unsolicited DNS queries?
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.