No final do dia, depois de investigar o problema, as VMs que fazem solicitações de DNS de casos mistos são máquinas do OpenBSD executando rebound
, um proxy DNS usado no OpenBSD.
Além disso, parece que atualmente é prática comum rebound
, Unbound
, pydig
e Tor
fazer essas consultas de casos mistos como uma medida de segurança.
Assim, as consultas não são o resultado de malware neste caso.
De Uso de consultas de caso misto DNS
These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.
Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query.
As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliveratly encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.
While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.
De calomel - tutorial de DNS não consolidado
What is dns-0x20 capitalization randomization ?
Capitalization randomization is also called dns-0x20. This is an experimental resilience method which uses upper and lower case letters in the question hostname to obtain randomness. On average adding about 7 or 8 bits of entropy. This method currently has to be turned on by the dns admin manually, as it may result in maybe 0.4% of domains getting no answers due to no support on the authoritative server side. In our second example we enable the directive "use-caps-for-id: yes" for better security using dns-0x20.
All this means is that calomel.org is the same as CaLOMeL.Org which is the same as CALOMEL.ORG. When Unbound sends a query to a remote server it sends the hostname string in random upper and lower characters. The remote server must resolve the hostname as if all the characters were lower case. The remote server must then send the query back to Unbound in the same random upper and lower characters that Unbound sent. If the characters of the hostname in the response are in the same format as the query then the dns-0x20 check is satisfied.
Attackers hoping to poison a Unbound DNS cache must therefore guess the mixed-case encoding of the query and the timing of the return dns answer in addition to all other fields required in a DNS poisoning attack. dns-0x20 increases the difficulty of the attack significantly.
Pergunta relacionada: Chrome: solicitações de DNS com nomes DNS aleatórios: malware?