Internet Performance Delivered right to your inbox

Observed DNS Anomaly: Bumps in DNS ANY Query Activity

For the past 5 days, we’ve been seeing a 20-25% bump in DNS QPS for random 5-10 minutes intervals that started back up this morning. It’s certainly not a pattern that we’re accustomed to seeing, so we classified this as a traffic anomaly and sent our Operations Team searching for answers on what the source of this might be.

Here’s the particulars of what we’re seeing:

  • Source IPs are from IP prefixes originating from China Telecom and China Netcom address space.
  • Source ports are randomized.
  • DNS transaction ID is randomized.
  • The queries follow delegation paths to our nameservers via customer domains. We do see queries for domains that we are not authoritative for, meaning that this is likely bogus traffic to real domains.


This has been noticed not only by us, but also by those on the Dns-operations list, NANOG and other related mailing lists.

Given that this has been noticed by other network operators but is such a huge amount of traffic, we’re surprised that the discussion about this has been relatively mute.  Are others seeing this? What are you doing about it (if anything)?  What do you think is behind it?



Share Now

Whois: Tom Daly

Tom Daly is a co-founder of Dyn, a pioneer in managed DNS and a leader in cloud-based infrastructure that connects users with digital content and experiences across a global internet.

To current Dyn Customers and visitors considering our Dynamic DNS product: Oracle acquired Dyn and its subsidiaries in November 2016. After June 29th, 2020, visitors to will be redirected here where you can still access your current Dyn service and purchase or start a trial of Dynamic DNS. Support for your service will continue to be available at its current site here. Sincerely, Oracle Dyn