What a Show! An Amplified Internet Scale DNS Probing Operation

Infoblox researchers detail a global DNS probing campaign named Secshow, originating from CERNET, which probes distributed IP addresses to identify and measure open DNS resolvers by encoding target IPs into DNS query names and returning random/wildcard IP responses; the operation includes DNAME/CNAME tests and other resolver-behavior measurements. The report further documents how Palo Alto's Cortex Xpanse active scanning product treats Secshow responses as URLs and repeatedly fetches them, massively amplifying queries worldwide, polluting passive DNS datasets, hindering research, and increasing DNS processing costs; listed domains (e.g., secshow.online, secshow.net, secdns.site) and guidance for detecting open resolvers are provided.