DNS queries with mysterious random mixed case

1 15.895697 2600:480e:4000:c00::3 -> 2001:470:1f12:425::2 DNS 94 Standard query 0x896c A wwW.ruWeNZORI.net 2 15.901855 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 94 Standard query 0xe3e6 A Www.RuWEnzoRi.neT 3 16.557423 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 93 Standard query 0x5040 A KiVu.grabEuH.COm 4 16.566121 2600:480e:4000:c00::3 -> 2001:470:1f12:425::2 DNS 93 Standard query 0x9c91 A KIVU.grabeUH.cOM 5 17.211708 2600:480e:4000:c00::9 -> 2001:470:1f12:425::2 DNS 94 Standard query 0x7b36 AAAA www.RUWENzORi.net 6 17.888244 2600:480e:4000:c00::9 -> 2001:470:1f12:425::2 DNS 93 Standard query 0xc582 AAAA KiVu.gRabEUH.com 7 18.041786 2600:480e:4000:c00::7 -> 2001:470:1f12:425::2 DNS 93 Standard query 0xcb72 AAAA Kivu.GRABEUh.coM

Well… WTF ? Who let the script kiddies out ? No one… Surprisingly: those are actually perfectly well-formed queries, using “0x20 Bit encoding“.

This technique was introduced in a 2008 paper, “Increased DNS Forgery Resistance Through 0x20-Bit Encoding – SecURItY viA LeET QueRieS” :

“We describe a novel, practical and simple technique to make DNS queries more resistant to poisoning attacks: mix the upper and lower case spelling of the domain name in the query. Fortuitously, almost all DNS authority servers preserve the mixed case encoding of the query in answer messages. Attackers hoping to poison a DNS cache must therefore guess the mixed-case encoding of the query, in addition to all other fields required in a DNS poisoning attack. This increases the difficulty of the attack”.

For example, Tor uses it by default for name lookups that a Tor server does on behalf of its clients.

Of course, this clever exploitation of a fortuitous behaviour did not go without inducing bugs… What a surprise !

Well… One less mystery.