We received a query from one of our readers earlier today asking about some odd DNS traffic that they have been seeing at their site over the last several months.
The traffic is directed at a DNS server that is acting only as a caching server for outbound queries which originate within the local site. No inbound queries from the Internet are allowed.
The inbound traffic pattern is thus:
1) AN ICMP echo-request is sent to the local DNS server.
2) A UDP DNS query for the root DNS servers is sent to the local DNS server.
3) A UDP PTR query for the IP address of the local DNS server is sent to the local DNS server.
4) Last, a malformed TCP DNS packet is sent to the local DNS server. This packet has the SYN flag set.
This traffic has come "from" many different sources IP addresses during this time. For a given
instance of this traffic pattern, the four packets all come from the same source IP address.
If anyone else is seeing traffic like this, we like to hear from you.