Yesterday I started to generate a certificate using "certbot" for a domain name I have parked and is almost not used. In the past there were some view DNS request per day. Today I got alerted about high rate of DNS queries. Looking at the details I see there are 21000 DNS queries for this domain in the last 24 hours. The source is coming from the European area. Under normal conditions most DNS traffic is coming from US and Asian area.
I am asking myself: is there anywhere a hole ? It can't be accident that DNS queries are now tens of thousands times higher than before.
Certificates issued by Let's Encrypt (and other public Certificate Authorities) are logged in public Certificate Transparency logs. There are many tools to view the CT logs one of which is https://crt.sh
These logs can be scanned by anyone. Even bad actors.
Any device connected to the public internet should be secure. You cannot rely on being hidden.
I don't know that this is what caused the spike in your traffic. But it might be.
EDIT: I moved your post to the Help section. Had you posted there you would have been shown a form that mentions the CT log. Given your question I don't see that answers to the questions on that form would be helpful to anyone else helping you so I didn't re-post that form.
many thanks for your explanation. Sounds reasonable.
The domain is under the top level domain eu. And all these bad actors are also coming from EU. Even not from this "well known bad countries"
Interesting.
Increasingly I think we will also find that search engine crawlers, AI data gathering bots and web scraping tools will all use CT logs to gather fresh victims data. Also, the days of bad actors only sending traffic from their own countries are pretty much over.
@hans-mayer
I think this is interesting. Yesterday my mta-sts certificate was updated. I received notification of the certificate renewal and a couple dozen notifications from fail2ban blocking various clients (attempting to "scan" mta-sts) at the very same moment.
Is this a coincidence? I doubt it. It is just "internet noise", and it will never end.
EDIT: Yes it too was a wilcard cert.
... use a wildcard certificate to keep it private ....
This was maybe the trigger. I created a wildcard certificate for my .eu domain. This was maybe the motivation for the hackers to find out which names are available. With a non-wildcard certificate this wouldn't be generate so high DNS traffic.
... Also, the days of bad actors only sending traffic from their own countries are pretty much over ...
This is also my expectation. But only 15 queries came from outside of EU. As it isn't a complete blind domain these 15 queries are legitim. So I can say almost 100% of queries are coming from the fact that I generated a wildcard eu domain certificate.
... It is just "internet noise", and it will never end.
In my case it stopped. It started at 8:00 and it endet 16 hours later. If you look to the graph I initially posted, it is now still the same. It is only shifted to the left on the time series based on the fact that we are now several hours later. So during the younger past it didn't happen any more.
Yes, the graph motivated me to look into my log files relating to the timing of the burst of traffic. To be honest, I cant see any rationale for the spike in traffic other than the fact that It was within seconds of the certificate update. (most of the IP's are un-resolvable) so I suspect bots are busy doing what they do best.
There are 4 or 5 certs on my mail server. They all renew on a staggered schedule so as not to pound LE's production server. Next renewal I'll pay more attention and see if there is some correlation.
