Mixed case DNS requests - Malware in my network?

Question

I am seeing some strange DNS queries. They have seemingly random mixed case coming from machines in my network.

Is it possible I have malware?

$ sudo tcpdump -n port 53
16:42:57.805038 192.168.5.134.47813 > 192.168.5.2.53: 27738+ A? Www.sApO.PT. (29)
16:42:57.826942 192.168.5.2.53 > 192.168.5.134.47813: 27738 1/0/0 A 213.13.146.142 (45)
16:43:02.813782 192.168.5.2.53 > 192.168.5.134.12193: 17076 1/0/0 A 213.13.146.142 (45)
16:43:06.232232 192.168.5.134.44055 > 192.168.5.2.53: 28471+ A? www.SaPo.pt. (29)
16:43:06.253887 192.168.5.2.53 > 192.168.5.134.44055: 28471 1/0/0 A 213.13.146.142 (45)
16:45:22.135751 192.168.5.134.11862 > 192.168.5.2.53: 48659+ A? wwW.cnn.COm. (29)
16:45:22.190254 192.168.5.2.53 > 192.168.5.134.11862: 48659 2/0/0 CNAME turner-tls.map.fastly.net., (84)
16:45:27.142154 192.168.5.134.34929 > 192.168.5.2.53: 25816+ A? wWw.cnN.com. (29)
16:45:27.168537 192.168.5.2.53 > 192.168.5.134.34929: 25816 2/0/0 CNAME turner-tls.map.fastly.net., (84)
16:45:32.150473 192.168.5.134.29932 > 192.168.5.2.53: 40674+ A? wWw.cnn.cOM. (29)
16:45:32.173422 192.168.5.2.53 > 192.168.5.134.29932: 40674 2/0/0 CNAME turner-tls.map.fastly.net., (84)

A related question is https://unix.stackexchange.com/questions/363512/ . — JdeBP, Mar 06 '18 at 19:39
@JdeBP Related, but not the same. Mine too, you probably noticed. Thanks for remembering me. — Rui F Ribeiro, Mar 06 '18 at 20:08

score 9 · Accepted Answer · edited May 17 '23 at 11:26

At the end of day, after investigating the issue, the VMs doing mixed case DNS requests are OpenBSD machines running rebound, a DNS proxy used in OpenBSD.

Moreover, it appears it is nowadays common practice rebound, Unbound, pydig and Tor making such mixed case queries as a security measure.

Thus, the queries are not the result of malware in this case.

From Use of Mixed Case DNS Queries

These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.

Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query.

As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliberately encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.

While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.

From calomel - Unbound DNS Tutorial

What is dns-0x20 capitalization randomization ?

Capitalization randomization is also called dns-0x20. This is an experimental resilience method which uses upper and lower case letters in the question hostname to obtain randomness. On average adding about 7 or 8 bits of entropy. This method currently has to be turned on by the dns admin manually, as it may result in maybe 0.4% of domains getting no answers due to no support on the authoritative server side. In our second example we enable the directive "use-caps-for-id: yes" for better security using dns-0x20.

All this means is that calomel.org is the same as CaLOMeL.Org which is the same as CALOMEL.ORG. When Unbound sends a query to a remote server it sends the hostname string in random upper and lower characters. The remote server must resolve the hostname as if all the characters were lower case. The remote server must then send the query back to Unbound in the same random upper and lower characters that Unbound sent. If the characters of the hostname in the response are in the same format as the query then the dns-0x20 check is satisfied.

Attackers hoping to poison a Unbound DNS cache must therefore guess the mixed-case encoding of the query and the timing of the return dns answer in addition to all other fields required in a DNS poisoning attack. dns-0x20 increases the difficulty of the attack significantly.

Related question: Chrome: DNS requests with random DNS names: malware?

This started as a counter-measure against the Kaminsky attacks, it was a way to easily add a lot more entropy in the DNS messages where no other parts of the DNS message could be changed (enlarged) to accomodate for more entropy (less way to guess the DNS message ID) — Patrick Mevzek, Mar 04 '18 at 16:32
See https://dyn.com/blog/use-of-bit-0x20-in-dns-labels/ and https://blog.cloudflare.com/the-oldest-trick-in-the-ascii-book/ and from the man himself: https://dankaminsky.com/2008/08/29/towards-the-next-dns-fix/ (see point 4) — Patrick Mevzek, Mar 04 '18 at 16:36
Slightly off-topic for PT users: Have had problems using DNS from MEO/Zon routers in the past because of them do not supporting this. Anyone has some pointers about them messing up with DNS requests? — Rui F Ribeiro, Jan 03 '19 at 10:38
I was seeing similar requests in the query log for my authoritative name server so thanks for the question and answer. Here's the WM archive link for the first URL @Patrick linked to: https://web.archive.org/web/20160413043456/https://dyn.com/blog/use-of-bit-0x20-in-dns-labels/ — Anthony Geoghegan, Oct 10 '21 at 20:58

Mixed case DNS requests - Malware in my network?

1 Answers1

Linked