We maintain DNS service for > 100 domains, including some of our own ones and while wandering through the dns server logs I noticed a slow but more or less constant (~ 40 requests / hour) stream of dns requests for stomp1.<our_own_domain>.<tld> A record.
They are coming from many different ip addresses (with an average of one unique ip address every 2.5 dns requests, so we are literally seeing dns requests from hundreds of unique ip addresses) in the 74.125.0.0/16 netblock, which is assigned to Google.
Some empiric searching suggests that it could be used from "miscellaneous services" including Google App Engine, but it shouldn't be part of Google crawling activities.
We didn't have any dns record at that address, so just for the fun of it we added the record and pointed it to 127.0.0.1 with a ttl of many days: so far it did not have any effect on the stream of requests which is still going at ~ 40 reqs / hour.
As far as I can tell, some / many legitimate STOMP clients defaults to trying to resolve the stomp1 hostname, but we never used anything like that. We also never run anything on Google's systems (eg. App Engine) and we never used any of their services in relation to our domain (eg. never used G Suite or anything). It also sounds strange to me that we are only seeing those kind of requests for a single domain out of >100.
Is there any "known and standard thing" that I'm totally missing here (like queries for spf records in dns, robots.txt in http servers, and so on…) or should I suspect some kind of misbehavior, targeted to our domain for some reason?
Best Answer
If the server/workstation running the STOMP client is configured to use Google's public resolvers 8.8.8.8 and/or 8.8.4.4 and it also has
<our_own_domain>.<tld>as the search domain that is a plausible explanation for both how requests for a defaultstomp1get converted tostomp1.<our_own_domain>.<tld>as well as how the DNS queries would appear in your logs as originating from Google IP-addresses.