search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
7.99k stars 1.06k forks source link

DNS C2 not working latest version #1354

Closed 345ertyugr6 closed 4 months ago

345ertyugr6 commented 1 year ago

Hello, I tested DNS C2 but i have some issue

DNS beacon , session can not connect

first , i use v1.5.39 (current latest) and setup dns c2

[*] Server v1.5.39 - a1c19bc745b7cfd496084f4514f2c404c7c352e8 - Dirty

sliver > dns -d 2.corax.africa.

[] Starting DNS listener with parent domain(s) [2.corax.africa.] ... [] Successfully started job #1

sliver > jobs

ID Name Protocol Port ==== ====== ========== ====== 1 dns udp 53

sliver > generate --dns 2.corax.africa. --os linux --debug

[*] Generating new linux/amd64 implant binary

and i excute binary but C2 can not connect

here is some logs

[log from backdoor] root@vultr:~/sliver# ./TENSE_DANGER 2023/07/19 10:57:51 sliver.go:99: Hello my name is TENSE_DANGER 2023/07/19 10:57:51 limits.go:58: Limit checks completed 2023/07/19 10:57:51 sliver.go:117: Running in session mode 2023/07/19 10:57:51 session.go:64: Starting interactive session connection loop ... 2023/07/19 10:57:51 transports.go:41: Starting c2 url generator () ... 2023/07/19 10:57:51 transports.go:104: Return generator: (chan *url.URL)(0xc00007c6c0) 2023/07/19 10:57:51 transports.go:92: Yield c2 uri = 'dns://2.corax.africa.' 2023/07/19 10:57:51 transports.go:92: Yield c2 uri = 'dns://2.corax.africa.' 2023/07/19 10:57:51 session.go:81: Next CC = dns://2.corax.africa. 2023/07/19 10:57:51 session.go:81: Next CC = dns://2.corax.africa. 2023/07/19 10:57:51 transports.go:92: Yield c2 uri = 'dns://2.corax.africa.' 2023/07/19 10:57:51 session.go:171: Attempting to connect via DNS via parent: 2.corax.africa. 2023/07/19 10:57:51 dnsclient.go:152: DNS client connecting to '2.corax.africa.' (timeout: 5s) ... 2023/07/19 10:57:51 dnsclient.go:299: [dns] found resolvers: [127.0.0.1] 2023/07/19 10:57:51 dnsclient.go:721: [dns] Fetching dns session id via 'baa8.2.corax.africa.' ... 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of baa8.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 3.379013ms (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 68.10.116.187 2023/07/19 10:57:51 dnsclient.go:742: [dns] dns session id: 7604804 2023/07/19 10:57:51 dnsclient.go:836: [dns] Fingerprinting 1 resolver(s) ... 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of 1c1ff0ac3425ccra95hwdtgv.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 180.627µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 228.195.72.33 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of 1c1ff0ac3422d8ter6xf21kh.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 326.327µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 172.102.227.114 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of 1c1ff0ac342gfvvufgzfz18t.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 143.265µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 191.103.220.164 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of 1c1ff0ac342bwt3g3cnr799y.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 335.844µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 85.76.4.33 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of UD5JRH3K1j6xoAqD7H8Q.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 343.059µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 32.123.96.86 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of UD5JRH3K1GwXtyXxE1g6.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 136.934µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 205.88.110.32 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of UD5JRH3K1bgJd9ajEuaG.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 255.982µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 150.245.0.143 2023/07/19 10:57:51 resolver-generic.go:92: [dns] 127.0.0.1:53->A record of UD5JRH3K1Mkj47wubqCz.2.corax.africa. ? 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 356.635µs (err: ) 2023/07/19 10:57:51 resolver-generic.go:109: [dns] answer (a): 46.127.28.230 2023/07/19 10:57:51 dnsclient.go:856: [dns] 127.0.0.1:53: avg rtt 259.834µs, base58: true, errors 0 2023/07/19 10:57:51 dnsclient.go:316: [dns] skey [159 14 138 47 230 206 251 119 103 97 126 4 17 84 105 38 15 135 254 52 61 7 196 158 60 28 120 119 47 176 168 74] 2023/07/19 10:57:51 dnsclient.go:319: [dns] initData [211 210 28 90 191 250 144 114 124 31 223 131 199 142 251 224 210 16 199 203 128 104 70 245 50 202 13 35 235 82 90 47 113 111 108 87 105 109 56 107 121 74 97 55 68 81 76 107 49 119 51 48 116 108 116 120 113 108 71 119 120 67 106 68 115 43 56 80 85 117 69 76 105 81 119 10 101 68 103 52 68 86 50 77 106 54 71 69 43 100 47 119 81 99 101 51 82 102 122 102 99 50 108 47 113 67 79 75 113 84 100 116 47 111 65 80 68 76 48 10 45 45 45 32 70 88 74 117 89 114 67 79 81 43 98 75 108 52 67 82 122 106 73 55 122 56 71 86 119 55 113 112 48 113 97 48 53 49 107 74 51 121 83 57 107 109 56 10 180 56 138 205 50 242 101 248 238 25 148 57 200 237 107 186 36 144 181 194 235 133 179 33 114 174 123 100 107 3 120 216 48 241 138 96 208 160 45 203 246 76 130 120 24 114 6 9 68 148 115 122 34 118 92 154 179 254 91 120 41 228 101 143 219 0 168 19 146 207 152 160 167 30 58 186 175 14 75 80 29 16 148 115 58 108 154 113 237 213 122 34 183 129 168 239] 2023/07/19 10:57:51 dnsclient.go:701: [dns] original data: 264 bytes 2023/07/19 10:57:51 dnsclient.go:702: [dns] total subdata: 264 bytes 2023/07/19 10:57:51 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 7.522255ms (err: ) 2023/07/19 10:57:51 resolver-generic.go:142: [dns] error response status: 5 2023/07/19 10:57:51 resolver-generic.go:128: [dns] query error: invalid rcode (retry wait: 1s) 2023/07/19 10:57:52 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 2.495777ms (err: ) 2023/07/19 10:57:52 resolver-generic.go:142: [dns] error response status: 5 2023/07/19 10:57:52 resolver-generic.go:128: [dns] query error: invalid rcode (retry wait: 1s) 2023/07/19 10:57:53 resolver-generic.go:175: [dns] rtt->127.0.0.1:53 2.142668ms (err: ) 2023/07/19 10:57:53 resolver-generic.go:142: [dns] error response status: 5 2023/07/19 10:57:53 resolver-generic.go:128: [dns] query error: invalid rcode (retry wait: 1s) 2023/07/19 10:57:54 dnsclient.go:397: [dns] init msg failure invalid rcode 2023/07/19 10:57:54 dnsclient.go:341: [dns] init msg send failure invalid rcode 2023/07/19 10:57:54 sliver.go:156: [session] failed to establish connection: invalid rcode 2023/07/19 10:57:54 sliver.go:136: Reconnect sleep: 1m0s

[log from sliver-server] INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'baa8.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] '1c1ff0ac3425ccra95hwdtgv.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] '1c1ff0ac3422d8ter6xf21kh.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] '1c1ff0ac342gfvvufgzfz18t.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] '1c1ff0ac342bwt3g3cnr799y.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'UD5JRH3K1j6xoAqD7H8Q.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'UD5JRH3K1GwXtyXxE1g6.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'UD5JRH3K1bgJd9ajEuaG.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'UD5JRH3K1Mkj47wubqCz.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:361] 'gTjdqwuiL6ZUhT97yNYbhyQoxqjKnQCVHWMPhieWyhZnaxJ3FVUykVjJ1SRTqEj.Qfnka9QJsyaQMx4xTmkV5tzVAX31JNow75k91Z2Q3LvDQYfq4qUnzd63oju6Nra.iLzq5k9jvyzzhLoLTqmZ5pgcg6hskXtTyVHFxMPL8bSrPKmL3LDyxRWrC33x87g.ddpZUeWpdZjnWHWFo5Xtop6gm6QhBVYHmTTwsAg8GAnt.2.corax.africa.' is subdomain of '2.corax.africa.' ERRO[2023-07-19T10:57:51Z] [sliver/server/c2/dns.go:517] [session init] error decrypting session init data: failed to read header: failed to read header: EOF INFO[2023-07-19T10:57:52Z] [sliver/server/c2/dns.go:361] 'gTjdqwuiL6ZUhT97yNYbhyQoxqjKnQCVHWMPhieWyhZnaxJ3FVUykVjJ1SRTqEj.Qfnka9QJsyaQMx4xTmkV5tzVAX31JNow75k91Z2Q3LvDQYfq4qUnzd63oju6Nra.iLzq5k9jvyzzhLoLTqmZ5pgcg6hskXtTyVHFxMPL8bSrPKmL3LDyxRWrC33x87g.ddpZUeWpdZjnWHWFo5Xtop6gm6QhBVYHmTTwsAg8GAnt.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:52Z] [sliver/server/db/logger.go:20] github.com/bishopfox/sliver/server/db/helpers.go:681 constraint failed: UNIQUE constraint failed: key_ex_histories.sha256 (1555) [0.265ms] [rows:0] INSERT INTO key_ex_histories (sha256,created_at) VALUES ("2e6043bfc42efb82579f6afb73dc02db5a94df266f588dd22f58ea5d2987792a","2023-07-19 10:57:52.092") ERRO[2023-07-19T10:57:52Z] [sliver/server/c2/dns.go:517] [session init] error decrypting session init data: decryption failed INFO[2023-07-19T10:57:53Z] [sliver/server/c2/dns.go:361] 'gTjdqwuiL6ZUhT97yNYbhyQoxqjKnQCVHWMPhieWyhZnaxJ3FVUykVjJ1SRTqEj.Qfnka9QJsyaQMx4xTmkV5tzVAX31JNow75k91Z2Q3LvDQYfq4qUnzd63oju6Nra.iLzq5k9jvyzzhLoLTqmZ5pgcg6hskXtTyVHFxMPL8bSrPKmL3LDyxRWrC33x87g.ddpZUeWpdZjnWHWFo5Xtop6gm6QhBVYHmTTwsAg8GAnt.2.corax.africa.' is subdomain of '2.corax.africa.' INFO[2023-07-19T10:57:53Z] [sliver/server/db/logger.go:20] github.com/bishopfox/sliver/server/db/helpers.go:681 constraint failed: UNIQUE constraint failed: key_ex_histories.sha256 (1555) [0.106ms] [rows:0] INSERT INTO key_ex_histories (sha256,created_at) VALUES ("2e6043bfc42efb82579f6afb73dc02db5a94df266f588dd22f58ea5d2987792a","2023-07-19 10:57:53.095") ERRO[2023-07-19T10:57:53Z] [sliver/server/c2/dns.go:517] [session init] error decrypting session init data: decryption failed

i modify /etc/resolv.conf to DNS use by itself

nameserver 127.0.0.1

if i use old version ( 1.5.12) it working correctly

how can i fix it ?

thanks

Phyxius commented 1 year ago

I'm also unable to get DNS working on the latest versions (1.5.40 and .41); doing the same configuration works on .39.

chmod750 commented 12 months ago

It seems that it is due to the migration from ECCDecrypt to AgeDecrypt in order to mitigate the KEM vulnerability (release v1.5.40).

moloch-- commented 12 months ago

Back from vacation on Monday and I'll have a look.

N00BIER commented 12 months ago

Similar issue here. C2 server fails to connect due to "[session init] error decoding public key: %!s(\<nil>)". Is it that no public key is passed from implant onto the server or subdata gets corrupted which is unlikely given CRC check? what might be the issue? please help! thanks

b3r1ch commented 11 months ago

I'm also unable to get DNS working on the latest versions (1.5.40 and .41); doing the same configuration works on .39.

How to change the sliver server and client (1.5.40) to 1.5.39,please help! thanks

b3r1ch commented 11 months ago

I'm also unable to get DNS working on the latest versions (1.5.40 and .41); doing the same configuration works on .39.

How to change the sliver server and client (1.5.40) to 1.5.39,please help! thanks

# Generate local configs
echo "Generating local configs ..."

# Generate local configs
echo "Generating operator configs ..."
mkdir -p /root/.sliver-client/configs
/root/sliver-server operator --name root --lhost localhost --save /root/.sliver-client/configs
chown -R root:root /root/.sliver-client/

USER_DIRS=(/home/*)
for USER_DIR in "${USER_DIRS[@]}"; do
    USER=$(basename "$USER_DIR")
    if id -u "$USER" >/dev/null 2>&1; then
        echo "Generating operator configs for user $USER..."
        mkdir -p "$USER_DIR/.sliver-client/configs"
        /root/sliver-server operator --name "$USER" --lhost localhost --save "$USER_DIR/.sliver-client/configs"
        chown -R "$USER":"$(id -gn "$USER")" "$USER_DIR/.sliver-client/"
    fi
done

here~

moloch-- commented 11 months ago

Sorry for the delay folks, in fixing this bug I found another slightly more complex issue that I'm working to fix.

N00BIER commented 11 months ago

Sorry for the delay folks, in fixing this bug I found another slightly more complex issue that I'm working to fix.

Thanks, mate. We appreciate this

MrTuxx commented 11 months ago

@b3r1ch Simply change the URL https://api.github.com/repos/BishopFox/sliver/releases/latest that appears in the install.sh script to the following: https://api.github.com/repos/BishopFox/sliver/releases/103185180. This corresponds to v1.5.39.

mkannan22 commented 11 months ago

tried this and now getting go stack error.

./sliver-server stacktrace from panic: goroutine 1 [running]: runtime/debug.Stack() runtime/debug/stack.go:24 +0x65 github.com/bishopfox/sliver/server/cli.glob..func4.1() github.com/bishopfox/sliver/server/cli/cli.go:119 +0x72 panic({0x17c5880, 0xc0000bc140}) runtime/panic.go:884 +0x213 github.com/bishopfox/sliver/server/cryptography.ECCServerKeyPair() github.com/bishopfox/sliver/server/cryptography/cryptography.go:247 +0xd2 github.com/bishopfox/sliver/server/cli.glob..func4(0xa364b60?, {0x1a137a4?, 0x0?, 0x0?}) github.com/bishopfox/sliver/server/cli/cli.go:127 +0x7a github.com/spf13/cobra.(Command).execute(0xa364b60, {0xc000112250, 0x0, 0x0}) github.com/spf13/cobra@v1.7.0/command.go:944 +0x847 github.com/spf13/cobra.(Command).ExecuteC(0xa364b60) github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3bd github.com/spf13/cobra.(*Command).Execute(...) github.com/spf13/cobra@v1.7.0/command.go:992 github.com/bishopfox/sliver/server/cli.Execute() github.com/bishopfox/sliver/server/cli/cli.go:145 +0x25 main.main() github.com/bishopfox/sliver/server/main.go:43 +0x17

mkannan22 commented 11 months ago

I went back one more version to 1.5.38 and it worked again.

pr0b3r7 commented 10 months ago

@mkannan22 -- how did you roll back to 1.5.38? I tried pulling the release URL from api by curl https://api.github.com/repos/BishopFox/sliver/releases > sliver_releases.json and then modified it as such in the install script but keep getting this weird signature error...

Also tried deleting all gpg secret and normal keys...

image image

image

Thank you,

mkannan22 commented 10 months ago

I downloaded that version and installed from that.

N00BIER commented 10 months ago

For those who is looking for 1.5.39 I slightly modified install.sh script. 

#!/bin/bash
set -e

SLIVER_GPG_KEY_ID="4449039C"

if [[ "$EUID" -ne 0 ]];then
    echo "Please run as root"
    exit
fi

# Determine OS type
# Debian-based OS (Debian, Ubuntu, etc)
if command -v apt &> /dev/null; then
    echo "Installing dependencies using apt..."
    DEBIAN_FRONTEND=noninteractive apt install -yqq \
        gpg curl build-essential git \
        mingw-w64 binutils-mingw-w64 g++-mingw-w64
elif command -v yum &> /dev/null; then # Redhat-based OS (Fedora, CentOS, RHEL)
    echo "Installing dependencies using yum..."
    yum -y install gnupg curl gcc gcc-c++ make mingw64-gcc git
else
    echo "Unsupported OS, exiting"
    exit
fi

# Verify if necessary tools are installed
for cmd in curl awk gpg; do
    if ! command -v "$cmd" &> /dev/null; then
        echo "$cmd could not be found, exiting"
        exit 1
    fi
done

cd /root || exit
echo "Running from $(pwd)"

echo "Importing GPG key..."
gpg --import <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGBlvl8BEACpoAriv9d1vf9FioSKCrretCZg4RnpjEVNDyy6Y4eFp5dyR9KK
VJbm8gP4ymgqoTrjwqRp/tSiTB6h/inKnxlgy7It0gsRNRpZCGslPRVIQQBStiTv
sxQ4qIxebvku/4/dqoSmJzhNg9MzClR8HTO7Iv74jP7gGMD+gebvXwapstBkua66
N4OPRVyau3FvkD1hZR+XWLBA9ba3Ow7XRA/jl4Mk5LpsqUbFEWbung4oBPKtyriM
RkiRxOpkR7tAGGlay0kfCt9V6ip5GSb2+Mogk3jeqsD1BryABAlgWznxBbK5StXN
OXRzAT1TbGeEZ0K8FCXYWHLuakEntVKF2w1VaJ+bJDRLEecuiCmAj1kh9Xx99o5z
Lbgq+1Vad11Bx+9teOflLqil3H19YZPQIkunlW2ugqlvg9V5bywjh6GzRM0r83Oo
mY7aA75Teueaf2DX/23y+2UG924B9F2DrpNOfnIOb7ytFjVzDa02lpedF1OH0cv6
mRObEr0N6vJh223XduZDMk1uLIuVkmX5uVjfR5lWafWedykDMGbOYi4o+sABc9+8
3THwPKg4aRhwWBnblPKqzo598BP1/D1+GAxyc59nMNwFfOTmU7PIfhx7laG9/zxA
L1CygInIxZbr++NW4vr0qqbLHwX9fKY3C2iee5Q4N8a51bqXEdoM1R+gUwARAQAB
tB1TbGl2ZXIgPHNsaXZlckBiaXNob3Bmb3guY29tPokCTgQTAQgAOBYhBA7TkA0p
bPoCg6TkZn35EkBESQOcBQJgZb5fAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJEH35EkBESQOcRr8QAI/b9hSOd80uk+I75NbxMeBk1QPZvA3Zj6wO22V4vj0w
9WlgwT30I5Zgjcmp+hp/+Mf+ywHzlyFRySVm6X1JYgLBT0GLZJvLBjW1oEdah7NP
i1snzU3v1aRYXwhj1HdIO4HHCJ/y4hv7S1AIQgCtsZ+tQFAA7e8xvj/dgC5xjl5p
2xxC+P9ZQTuCbO8WyxTMPt/Z/nnQfRO0og/GGLYrJyPed+w6wcThgEbW79YCG1jb
+M+MRnGZuuFkG6+J/rPPaj6R+DnDkCria0l5LUuQLTgOgFaLXEhsoGeXF6MjwIIb
bjL8uf4xmJpudbh1TS1IgriURZQkfypANXGK2O81VOcvrfL+u76Rv96M9BAHbxwZ
l+iVqXhsYHytV0/E8ouuL3UaX/8QNiD2YSLczHc2htq7yCwo7bNCl5P7kySAjTGM
mJmlJYD1DfRw8uw1or8EtxxwBVlpzNa5Bpnu6HGh7oFtA1ynGaO+VHngfKSUJkYJ
7y6ZW9wyWdGiKe5Sdp99ngL5+r9fnUChs3MVSE6Fl/WPobALlh57X51+Q7SENXQZ
a5mSNRGf4ZaaJnCIo3/PXJcqIjxC2CP5rtab1F9fSttUwWYSBcw7voN2COHfaipJ
JM5PvcLpyi6K5ZP17kjXkRU+hVWGufEmmakE5Mqr4wfsKcggAF7Oatbll1BpKzb2
uQINBGBlvl8BEACstG4cNeuYsRuKGinYs3P4X0l/r/Z2gFnwBf3l+X5IQKUxbW/l
32UMSEPUZCnojp8iHnmnL5N0AXLRi7rGU4coQysVwCd09apFom4WZNHGFfd0u+V/
zxaJ9Lxn6CVoMR1aQ2WCLSy/q06/T3OY7NE5rimtgPOtW2gXu0NLZD54D4SAdCNr
GF1iUK1R1AKIiY2R2Orp+yUBdUrFqHX9HyGvSC9eFzNGRBfLuW0P9ygUoyebZRBK
uT7QONgdduvfwJ7T8qYSHrPotOz/bsqcVEoYXFQ5XR/6WW1wJEeBeqBvhqYpsJaE
0h1zpzK1z6I5jBolyXdznCvm4OPGErynRIsseOtGrYAPFlMdZEUzrVPxbKQ0LVGH
bDA+PBgwwktt6wgJImGal8KpIbI6nVChCyLv/Ry7+mW15BFjDx3Mdf7Og4HN1KmZ
Tync6eEW11sculkC2QWXyrjb+o6bdF/6hNsa4XB2XKPCCMECxrOw5vx3lsau0sot
3hhMbq+FTRXx/pMNEV9c7JaEB1EkV5UAhHHnieOk4NqlIaib5vU6Z8aBHAEvQ1x/
t+GUWEOr5zvtmvd+YGeU6egX7yrqzSUjiS613oq/Nn1x9AS+dZuxMr+H/CiCnR1U
OhrUSywALihikehthAjnZoUml6eDCO9kKss2BTqoNthDTf/WXIRE8bY5gwARAQAB
iQI2BBgBCAAgFiEEDtOQDSls+gKDpORmffkSQERJA5wFAmBlvl8CGwwACgkQffkS
QERJA5xjow/+Ou+JjNXrQ2wsa2bhXmF6sW3Fzwuzf3DnjLUU8U5I0rxvweSuVxYT
uSDw7kj6H/alxPkem/6gUAlasfq70PliH7MrBW36FmGlyFf4rO1qAnLy5w1EIQm3
9C847b0sd7SivVq0Gx1MN25aZA1w1QLPPOQZhf6EXtkVeMOeHOXvmPjyiOcUdaZH
QXMkrTbKL2mudqUiUDrptgf9b7gfW7G7RWRuzgy8+JyxAyqpasfHdD9/9vpU9twu
lT/55TwSWQ0IiorgjfJNtJAVKuZ+73MgPPbH1kmSRcUBEleJOMPZvgCHhs5y3eQS
p5qUN2kQxNXLtWKVE8j9uGzY0DqO583orjATWj52Kz7SM4uio1ZBVLcJht6YPdBH
9MkG5o3Yuzif05VBnBp8AUeLNKkW4wlg9VUwdLFuY/6vDSApbU/BSvffx4BvOGha
2RNzTaiZaiie1Hji3/dsI7dCAfajznuzSmW/fBhDZotKEZr6o1m3OTN4gs3tA/pl
1IjjARdTpaKqQGDtTu520RC5K7AIQvgIVy4sQN0jBZM5qNkr4Qt+U94A3vqjaRGX
5UofpRVFFWGP9QQAuIacdTioF05sBcw15WC9ULxi2lV8vBsVjT9zIS4zxfRE8u/G
DxkLsLOBBZZRXOrgxit+tAqinGJ6N9hOvkUlwTLfJM1tpCEFb/Z786g=
=lxj2
-----END PGP PUBLIC KEY BLOCK-----
EOF

# Download and Unpack Sliver Server
SLIVER_SERVER="sliver-server_linux"
SLIVER_CLIENT="sliver-client_linux"
URL_SERVER="https://github.com/BishopFox/sliver/releases/download/v1.5.39/sliver-server_linux"
URL_CLIENT="https://github.com/BishopFox/sliver/releases/download/v1.5.39/sliver-client_linux"

curl --silent -L "$URL_SERVER" --output "$(basename "$URL_SERVER")"
curl --silent -L "$URL_CLIENT" --output "$(basename "$URL_CLIENT")"
curl --silent -L "$URL_SERVER.sig" --output "$(basename "$URL_SERVER.sig")"
curl --silent -L "$URL_CLIENT.sig" --output "$(basename "$URL_CLIENT.sig")"

# Signature verification
echo "Verifying signatures ..."
gpg --default-key "$SLIVER_GPG_KEY_ID" --verify "/root/$SLIVER_SERVER.sig" "/root/$SLIVER_SERVER"
gpg --default-key "$SLIVER_GPG_KEY_ID" --verify "/root/$SLIVER_CLIENT.sig" "/root/$SLIVER_CLIENT"

if test -f "/root/$SLIVER_SERVER"; then
    echo "Moving the Sliver server executable to /root/sliver-server..."
    mv "/root/$SLIVER_SERVER" /root/sliver-server

    echo "Setting permissions for the Sliver server executable..."
    chmod 755 /root/sliver-server

    echo "Unpacking the Sliver server..."
    /root/sliver-server unpack --force
else
    exit 3
fi

if test -f "/root/$SLIVER_CLIENT"; then
    echo "Setting permissions for the Sliver client executable..."
    chmod 755 "/root/$SLIVER_CLIENT"

    echo "Copying the Sliver client executable to /usr/local/bin/sliver-client..."
    cp -vv "/root/$SLIVER_CLIENT" /usr/local/bin/sliver-client

    echo "Creating a symbolic link for sliver-client at /usr/local/bin/sliver..."
    ln -sf /usr/local/bin/sliver-client /usr/local/bin/sliver

    echo "Setting permissions for the symbolic link /usr/local/bin/sliver..."
    chmod 755 /usr/local/bin/sliver
else
    exit 3
fi

# systemd
echo "Configuring systemd service ..."
cat > /etc/systemd/system/sliver.service <<-EOF
[Unit]
Description=Sliver
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=on-failure
RestartSec=3
User=root
ExecStart=/root/sliver-server daemon

[Install]
WantedBy=multi-user.target
EOF
chown root:root /etc/systemd/system/sliver.service
chmod 600 /etc/systemd/system/sliver.service
echo "Starting the Sliver service..."
systemctl start sliver # Start the service now

# Generate local configs
echo "Generating local configs ..."

# Generate local configs
echo "Generating operator configs ..."
mkdir -p /root/.sliver-client/configs
/root/sliver-server operator --name root --lhost localhost --save /root/.sliver-client/configs
chown -R root:root /root/.sliver-client/

USER_DIRS=(/home/*)
for USER_DIR in "${USER_DIRS[@]}"; do
    USER=$(basename "$USER_DIR")
    if id -u "$USER" >/dev/null 2>&1; then
        echo "Generating operator configs for user $USER..."
        mkdir -p "$USER_DIR/.sliver-client/configs"
        /root/sliver-server operator --name "$USER" --lhost localhost --save "$USER_DIR/.sliver-client/configs"
        chown -R "$USER":"$(id -gn "$USER")" "$USER_DIR/.sliver-client/"
    fi
done
pr0b3r7 commented 10 months ago

Worked around my issues with the install script file by just installing from the client server binaries manually as per @mkannan22 recommendation

pr0b3r7 commented 10 months ago

I went back one more version to 1.5.38 and it worked again.

Hi @moloch-- - thank you for your hard work on this framework. It is awesome!

I proceeded to roll back to 1.5.38 and still getting the same query error: invalid rcode error and implant does not connect via DNS.

Seems like you are working on a fix for the latest version from this message: https://github.com/BishopFox/sliver/issues/1354#issuecomment-1669926035

Listener was generated with: dns --domains subdomain.domain.tld. --lport 53

Implant was generated with generate --dns subdomain.domain.tld. --debug --os windows --evasion --format exe --save /home/kali/53_DNS_debug_subdomain.domain.tld._Sliver_x64.exe

.exe and .dll implants were tested with the same result. Logs below

tcpdump logs running on the server where Sliver listener is configured:


tcpdump: listening on tailscale0, link-type RAW (Raw IP), snapshot length 262144 bytes
15:28:28.096030 IP (tos 0x0, ttl 53, id 42881, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.3999 > 2.2.2.2.53: [udp sum ok] 3329% [1au] A? TesT.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:36.386631 IP (tos 0x0, ttl 46, id 14748, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.30751 > 2.2.2.2.53: [udp sum ok] 64279% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (65)
15:28:36.763412 IP (tos 0x0, ttl 48, id 14749, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.47637 > 2.2.2.2.53: [udp sum ok] 62680% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:37.140842 IP (tos 0x0, ttl 46, id 14750, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.35865 > 2.2.2.2.53: [udp sum ok] 43323% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (65)
15:28:37.892949 IP (tos 0x0, ttl 48, id 14751, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.34768 > 2.2.2.2.53: [udp sum ok] 53826% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:38.645760 IP (tos 0x0, ttl 48, id 14752, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.24636 > 2.2.2.2.53: [udp sum ok] 47084% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (65)
15:28:40.150623 IP (tos 0x0, ttl 46, id 14753, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.27384 > 2.2.2.2.53: [udp sum ok] 10919% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:41.654750 IP (tos 0x0, ttl 48, id 14754, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.12406 > 2.2.2.2.53: [udp sum ok] 3772% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (65)
15:28:44.662852 IP (tos 0x0, ttl 46, id 14755, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.31355 > 2.2.2.2.53: [udp sum ok] 16207% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:47.672199 IP (tos 0x0, ttl 46, id 14756, offset 0, flags [none], proto UDP (17), length 82)
    1.1.1.1.32682 > 2.2.2.2.53: [udp sum ok] 17126 A? test.subdomain.domain.tld. (54)
15:28:47.692442 IP (tos 0x80, ttl 117, id 33080, offset 0, flags [none], proto UDP (17), length 104)
    1.1.1.1.63350 > 2.2.2.2.53: [udp sum ok] 16299% [1au] A? TESt.subdomain.domain.tld. ar: . OPT UDPsize=1400 DO [ECS 3.3.3.0/24/0] (76)
15:28:47.692585 IP (tos 0x0, ttl 52, id 12096, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.34639 > 2.2.2.2.53: [udp sum ok] 18372% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:47.692848 IP (tos 0x0, ttl 52, id 23250, offset 0, flags [none], proto UDP (17), length 82)
    1.1.1.1.47188 > 2.2.2.2.53: [udp sum ok] 19827% A? TeSt.subdomain.domain.tld. (54)
15:28:47.693689 IP (tos 0x0, ttl 54, id 14434, offset 0, flags [DF], proto UDP (17), length 88)
    1.1.1.1.44436 > 2.2.2.2.53: [udp sum ok] 8178 [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1232 DO (60)
15:28:47.693946 IP (tos 0x0, ttl 53, id 14435, offset 0, flags [DF], proto UDP (17), length 85)
    1.1.1.1.25762 > 2.2.2.2.53: [udp sum ok] 31977 [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1232 DO (57)
15:28:47.694989 IP (tos 0x0, ttl 52, id 14436, offset 0, flags [DF], proto UDP (17), length 88)
    1.1.1.1.17770 > 2.2.2.2.53: [udp sum ok] 4042 [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1232 DO (60)
15:28:47.695213 IP (tos 0x0, ttl 50, id 43309, offset 0, flags [DF], proto UDP (17), length 93)
    1.1.1.1.23525 > 2.2.2.2.53: [udp sum ok] 56162 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1452 DO (65)
15:28:47.695525 IP (tos 0x0, ttl 54, id 14437, offset 0, flags [DF], proto UDP (17), length 85)
    1.1.1.1.5892 > 2.2.2.2.53: [udp sum ok] 48721 [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1232 DO (57)
15:28:47.695545 IP (tos 0x0, ttl 51, id 14438, offset 0, flags [DF], proto UDP (17), length 93)
    1.1.1.1.46775 > 2.2.2.2.53: [udp sum ok] 64105 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1232 DO (65)
15:28:47.695689 IP (tos 0x0, ttl 54, id 14439, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.38726 > 2.2.2.2.53: [udp sum ok] 20266 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:47.696229 IP (tos 0x0, ttl 50, id 866, offset 0, flags [DF], proto UDP (17), length 88)
    1.1.1.1.14453 > 2.2.2.2.53: [udp sum ok] 16700 [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1452 DO (60)
15:28:47.703487 IP (tos 0x0, ttl 49, id 61950, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.46255 > 2.2.2.2.53: [udp sum ok] 26423% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:47.776647 IP (tos 0x0, ttl 46, id 6153, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.13948 > 2.2.2.2.53: [udp sum ok] 29190% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:47.781537 IP (tos 0x0, ttl 48, id 18867, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.9477 > 2.2.2.2.53: [udp sum ok] 49533% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:47.804016 IP (tos 0x0, ttl 48, id 32403, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.3788 > 2.2.2.2.53: [udp sum ok] 6091% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:47.887794 IP (tos 0x0, ttl 43, id 22619, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.43113 > 2.2.2.2.53: [udp sum ok] 50520% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:47.913251 IP (tos 0x0, ttl 36, id 58535, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.48220 > 2.2.2.2.53: [udp sum ok] 21783% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:47.984710 IP (tos 0x0, ttl 43, id 32190, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.13898 > 2.2.2.2.53: [udp sum ok] 52396% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:48.060603 IP (tos 0x0, ttl 50, id 43310, offset 0, flags [DF], proto UDP (17), length 93)
    1.1.1.1.23525 > 2.2.2.2.53: [udp sum ok] 56162 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1452 DO (65)
15:28:48.068742 IP (tos 0x0, ttl 51, id 12097, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.21831 > 2.2.2.2.53: [udp sum ok] 35765% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:48.154275 IP (tos 0x0, ttl 49, id 45842, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.8546 > 2.2.2.2.53: [udp sum ok] 47856% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:48.155176 IP (tos 0x0, ttl 45, id 18923, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.49903 > 2.2.2.2.53: [udp sum ok] 58139% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:48.165961 IP (tos 0x0, ttl 46, id 6201, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.38362 > 2.2.2.2.53: [udp sum ok] 32246% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:48.197835 IP (tos 0x0, ttl 50, id 867, offset 0, flags [DF], proto UDP (17), length 88)
    1.1.1.1.14453 > 2.2.2.2.53: [udp sum ok] 16700 [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1452 DO (60)
15:28:48.336637 IP (tos 0x0, ttl 43, id 53348, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.9488 > 2.2.2.2.53: [udp sum ok] 22719% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:48.445238 IP (tos 0x0, ttl 53, id 12098, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.4129 > 2.2.2.2.53: [udp sum ok] 45357% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:48.495614 IP (tos 0x0, ttl 53, id 14902, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.43660 > 2.2.2.2.53: [udp sum ok] 60106 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:48.503907 IP (tos 0x0, ttl 49, id 20413, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.2584 > 2.2.2.2.53: [udp sum ok] 26563% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:48.526660 IP (tos 0x0, ttl 45, id 18931, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.38933 > 2.2.2.2.53: [udp sum ok] 34167% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:48.528135 IP (tos 0x0, ttl 46, id 6234, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.21773 > 2.2.2.2.53: [udp sum ok] 37745% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:48.685201 IP (tos 0x0, ttl 42, id 61483, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.4816 > 2.2.2.2.53: [udp sum ok] 21498% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:48.693448 IP (tos 0x0, ttl 52, id 14215, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.49326 > 2.2.2.2.53: [udp sum ok] 36567% [1au] A? TESt.subdomain.domain.tld. ar: . OPT UDPsize=1400 DO (65)
15:28:49.104187 IP (tos 0x0, ttl 49, id 41813, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.20543 > 2.2.2.2.53: [udp sum ok] 4305% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:49.197466 IP (tos 0x0, ttl 53, id 12099, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.43611 > 2.2.2.2.53: [udp sum ok] 7198% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:49.279140 IP (tos 0x0, ttl 46, id 19019, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.39721 > 2.2.2.2.53: [udp sum ok] 34885% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:49.280050 IP (tos 0x0, ttl 46, id 6403, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.9962 > 2.2.2.2.53: [udp sum ok] 10605% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:49.285925 IP (tos 0x0, ttl 43, id 34080, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.53995 > 2.2.2.2.53: [udp sum ok] 55594% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:49.295676 IP (tos 0x0, ttl 53, id 15212, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.59255 > 2.2.2.2.53: [udp sum ok] 28456 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:49.475329 IP (tos 0x0, ttl 54, id 15286, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.41810 > 2.2.2.2.53: [udp sum ok] 47975% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:49.475378 IP (tos 0x0, ttl 52, id 15287, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.10901 > 2.2.2.2.53: [udp sum ok] 35510% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:49.704864 IP (tos 0x0, ttl 49, id 9888, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.2541 > 2.2.2.2.53: [udp sum ok] 60339% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:49.712673 IP (tos 0x0, ttl 49, id 17663, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.53896 > 2.2.2.2.53: [udp sum ok] 52249% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:49.885496 IP (tos 0x0, ttl 45, id 14653, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.65083 > 2.2.2.2.53: [udp sum ok] 17204% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:50.033738 IP (tos 0x0, ttl 48, id 6550, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.40931 > 2.2.2.2.53: [udp sum ok] 62736% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:50.035555 IP (tos 0x0, ttl 48, id 19188, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.53758 > 2.2.2.2.53: [udp sum ok] 53069% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:28:50.095847 IP (tos 0x0, ttl 51, id 15871, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.45982 > 2.2.2.2.53: [udp sum ok] 39269 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:50.274867 IP (tos 0x0, ttl 54, id 16046, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.63087 > 2.2.2.2.53: [udp sum ok] 14848% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:50.274903 IP (tos 0x0, ttl 54, id 16047, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.4277 > 2.2.2.2.53: [udp sum ok] 51457% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:50.712754 IP (tos 0x0, ttl 49, id 53181, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.62103 > 2.2.2.2.53: [udp sum ok] 19509% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:50.719715 IP (tos 0x0, ttl 47, id 57113, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.15396 > 2.2.2.2.53: [udp sum ok] 6059% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:50.888528 IP (tos 0x0, ttl 45, id 7714, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.31291 > 2.2.2.2.53: [udp sum ok] 16613% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:50.895614 IP (tos 0x0, ttl 53, id 16274, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.43682 > 2.2.2.2.53: [udp sum ok] 45382 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:51.074878 IP (tos 0x0, ttl 51, id 16436, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.22462 > 2.2.2.2.53: [udp sum ok] 8188% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:51.074928 IP (tos 0x0, ttl 54, id 16437, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.52578 > 2.2.2.2.53: [udp sum ok] 36414% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
q15:28:51.535505 IP (tos 0x0, ttl 48, id 19366, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.46462 > 2.2.2.2.53: [udp sum ok] 28199% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:51.535961 IP (tos 0x0, ttl 48, id 6638, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.18427 > 2.2.2.2.53: [udp sum ok] 18190% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (60)
15:28:51.695829 IP (tos 0x0, ttl 51, id 16928, offset 0, flags [none], proto UDP (17), length 102)
    1.1.1.1.46954 > 2.2.2.2.53: [udp sum ok] 2975 [1au] A? _.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (74)
15:28:51.697651 IP (tos 0x0, ttl 50, id 16929, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.28005 > 2.2.2.2.53: [udp sum ok] 49871 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:51.874891 IP (tos 0x0, ttl 51, id 17106, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.21688 > 2.2.2.2.53: [udp sum ok] 33875% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:51.874936 IP (tos 0x0, ttl 54, id 17107, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.49909 > 2.2.2.2.53: [udp sum ok] 60288% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:51.885326 IP (tos 0x0, ttl 43, id 10295, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.56374 > 2.2.2.2.53: [udp sum ok] 13610% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:51.910815 IP (tos 0x0, ttl 48, id 19420, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.34978 > 2.2.2.2.53: [udp sum ok] 37462% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:51.916316 IP (tos 0x0, ttl 48, id 6692, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.62231 > 2.2.2.2.53: [udp sum ok] 54295% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:52.498042 IP (tos 0x0, ttl 50, id 17399, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.42899 > 2.2.2.2.53: [udp sum ok] 14608 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:52.663532 IP (tos 0x0, ttl 46, id 19514, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.62713 > 2.2.2.2.53: [udp sum ok] 34266% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:52.668326 IP (tos 0x0, ttl 48, id 6744, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.7630 > 2.2.2.2.53: [udp sum ok] 2287% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:52.674718 IP (tos 0x0, ttl 54, id 17425, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.50281 > 2.2.2.2.53: [udp sum ok] 7635% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:52.674761 IP (tos 0x0, ttl 52, id 17426, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.51921 > 2.2.2.2.53: [udp sum ok] 65370% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:52.676448 IP (tos 0x0, ttl 52, id 17428, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.62970 > 2.2.2.2.53: [udp sum ok] 48366% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:52.801719 IP (tos 0x0, ttl 48, id 59738, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.7606 > 2.2.2.2.53: [udp sum ok] 49487% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:52.897749 IP (tos 0x0, ttl 50, id 26591, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.54190 > 2.2.2.2.53: [udp sum ok] 35732% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.039827 IP (tos 0x0, ttl 46, id 6769, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.8436 > 2.2.2.2.53: [udp sum ok] 34136% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:53.252022 IP (tos 0x0, ttl 50, id 53220, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.41627 > 2.2.2.2.53: [udp sum ok] 28841% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.253008 IP (tos 0x0, ttl 48, id 48284, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.64555 > 2.2.2.2.53: [udp sum ok] 63088% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.297775 IP (tos 0x0, ttl 50, id 17880, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.9334 > 2.2.2.2.53: [udp sum ok] 43525 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:53.353242 IP (tos 0x0, ttl 46, id 39188, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.13053 > 2.2.2.2.53: [udp sum ok] 11652% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.420002 IP (tos 0x0, ttl 47, id 19675, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.38780 > 2.2.2.2.53: [udp sum ok] 13264% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:53.474623 IP (tos 0x0, ttl 52, id 17921, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.14282 > 2.2.2.2.53: [udp sum ok] 6630% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:53.597682 IP (tos 0x0, ttl 48, id 27199, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.57893 > 2.2.2.2.53: [udp sum ok] 18872% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.703690 IP (tos 0x0, ttl 48, id 19537, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.10591 > 2.2.2.2.53: [udp sum ok] 36798% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.735993 IP (tos 0x0, ttl 46, id 15604, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.20301 > 2.2.2.2.53: [udp sum ok] 10079% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:53.796905 IP (tos 0x0, ttl 48, id 6853, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.59077 > 2.2.2.2.53: [udp sum ok] 44705% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:54.098053 IP (tos 0x0, ttl 51, id 17940, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.4367 > 2.2.2.2.53: [udp sum ok] 35603 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:54.202514 IP (tos 0x0, ttl 50, id 24578, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.13545 > 2.2.2.2.53: [udp sum ok] 18552% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:54.275054 IP (tos 0x0, ttl 53, id 18003, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.56446 > 2.2.2.2.53: [udp sum ok] 19988% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:54.336677 IP (tos 0x0, ttl 45, id 16852, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.11045 > 2.2.2.2.53: [udp sum ok] 43499% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:54.543867 IP (tos 0x0, ttl 46, id 6928, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.42442 > 2.2.2.2.53: [udp sum ok] 23444% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:54.798332 IP (tos 0x0, ttl 48, id 63455, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.45186 > 2.2.2.2.53: [udp sum ok] 8361% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:54.878527 IP (tos 0x0, ttl 50, id 18089, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.38049 > 2.2.2.2.53: [udp sum ok] 45054% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:54.897870 IP (tos 0x0, ttl 52, id 18539, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.42310 > 2.2.2.2.53: [udp sum ok] 19532 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:54.922987 IP (tos 0x0, ttl 48, id 19892, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.6134 > 2.2.2.2.53: [udp sum ok] 8880% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:54.936311 IP (tos 0x0, ttl 48, id 37660, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.21442 > 2.2.2.2.53: [udp sum ok] 50357% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:55.294972 IP (tos 0x0, ttl 48, id 19959, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.10634 > 2.2.2.2.53: [udp sum ok] 43990% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (65)
15:28:55.874722 IP (tos 0x0, ttl 47, id 51314, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.16057 > 2.2.2.2.53: [udp sum ok] 31671% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:55.874823 IP (tos 0x0, ttl 53, id 19159, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.57396 > 2.2.2.2.53: [udp sum ok] 12038% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:55.936743 IP (tos 0x0, ttl 48, id 51589, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.47319 > 2.2.2.2.53: [udp sum ok] 45552% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:55.954645 IP (tos 0x0, ttl 49, id 33151, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.37486 > 2.2.2.2.53: [udp sum ok] 5632% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:56.052373 IP (tos 0x0, ttl 48, id 20026, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.34391 > 2.2.2.2.53: [udp sum ok] 23435% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:56.053540 IP (tos 0x0, ttl 48, id 7196, offset 0, flags [none], proto UDP (17), length 93)
    1.1.1.1.26143 > 2.2.2.2.53: [udp sum ok] 63281% [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=1472 DO (65)
15:28:56.430063 IP (tos 0x0, ttl 48, id 7275, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.34289 > 2.2.2.2.53: [udp sum ok] 41571% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:28:56.497751 IP (tos 0x0, ttl 51, id 19663, offset 0, flags [none], proto UDP (17), length 116)
    1.1.1.1.33084 > 2.2.2.2.53: [udp sum ok] 19366 [1au] A? test.subdomain.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e,ECS 3.3.3.0/24/0] (88)
15:28:56.799250 IP (tos 0x0, ttl 48, id 20136, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.10348 > 2.2.2.2.53: [udp sum ok] 1356% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:28:56.937135 IP (tos 0x0, ttl 46, id 7385, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.23381 > 2.2.2.2.53: [udp sum ok] 595% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:57.185756 IP (tos 0x0, ttl 48, id 7389, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.57196 > 2.2.2.2.53: [udp sum ok] 7906% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:28:57.308156 IP (tos 0x0, ttl 53, id 26740, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.58655 > 2.2.2.2.53: [udp sum ok] 13605% [1au] A? Ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:28:57.475030 IP (tos 0x0, ttl 54, id 19765, offset 0, flags [none], proto UDP (17), length 97)
    1.1.1.1.15427 > 2.2.2.2.53: [udp sum ok] 65338% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=512 DO [COOKIE f4f53d76d16fa22e] (69)
15:28:57.935995 IP (tos 0x0, ttl 48, id 7560, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15114 > 2.2.2.2.53: [udp sum ok] 59760% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:28:58.303541 IP (tos 0x0, ttl 47, id 20423, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.13577 > 2.2.2.2.53: [udp sum ok] 32494% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:28:58.684712 IP (tos 0x0, ttl 46, id 20513, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.12995 > 2.2.2.2.53: [udp sum ok] 28230% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:28:58.937618 IP (tos 0x0, ttl 48, id 57428, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.30600 > 2.2.2.2.53: [udp sum ok] 11184% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:28:59.431498 IP (tos 0x0, ttl 48, id 20685, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.41865 > 2.2.2.2.53: [udp sum ok] 61377% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:28:59.436505 IP (tos 0x0, ttl 46, id 7859, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.38717 > 2.2.2.2.53: [udp sum ok] 18370% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:28:59.807977 IP (tos 0x0, ttl 46, id 7951, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.43065 > 2.2.2.2.53: [udp sum ok] 40874% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:00.183882 IP (tos 0x0, ttl 48, id 20706, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.63441 > 2.2.2.2.53: [udp sum ok] 21898% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:00.559844 IP (tos 0x0, ttl 47, id 8085, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.58992 > 2.2.2.2.53: [udp sum ok] 52887% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:01.311946 IP (tos 0x0, ttl 46, id 8123, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.23763 > 2.2.2.2.53: [udp sum ok] 21005% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:01.687731 IP (tos 0x0, ttl 46, id 20819, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.38958 > 2.2.2.2.53: [udp sum ok] 1900% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:02.063693 IP (tos 0x0, ttl 48, id 20831, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.65021 > 2.2.2.2.53: [udp sum ok] 27364% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:02.815711 IP (tos 0x0, ttl 45, id 8203, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.43842 > 2.2.2.2.53: [udp sum ok] 3084% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:02.815777 IP (tos 0x0, ttl 46, id 20962, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55979 > 2.2.2.2.53: [udp sum ok] 52356% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:03.196905 IP (tos 0x0, ttl 46, id 8270, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.23555 > 2.2.2.2.53: [udp sum ok] 25402% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:03.567513 IP (tos 0x0, ttl 48, id 21069, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.59369 > 2.2.2.2.53: [udp sum ok] 42579% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:03.944070 IP (tos 0x0, ttl 45, id 8380, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.57262 > 2.2.2.2.53: [udp sum ok] 57791% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:04.319819 IP (tos 0x0, ttl 46, id 8428, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.26492 > 2.2.2.2.53: [udp sum ok] 62984% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:05.071868 IP (tos 0x0, ttl 48, id 21382, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.5386 > 2.2.2.2.53: [udp sum ok] 46196% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:05.076557 IP (tos 0x0, ttl 48, id 8519, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.41123 > 2.2.2.2.53: [udp sum ok] 32385% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:05.447723 IP (tos 0x0, ttl 48, id 21385, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.50995 > 2.2.2.2.53: [udp sum ok] 36860% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:05.826081 IP (tos 0x0, ttl 48, id 8624, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.17286 > 2.2.2.2.53: [udp sum ok] 1829% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:06.199570 IP (tos 0x0, ttl 48, id 21430, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.33249 > 2.2.2.2.53: [udp sum ok] 42813% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:06.951796 IP (tos 0x0, ttl 46, id 21536, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.39123 > 2.2.2.2.53: [udp sum ok] 44629% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:07.327848 IP (tos 0x0, ttl 48, id 8809, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.22316 > 2.2.2.2.53: [udp sum ok] 15781% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:07.704130 IP (tos 0x0, ttl 46, id 8836, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.24848 > 2.2.2.2.53: [udp sum ok] 53791% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:08.461360 IP (tos 0x0, ttl 48, id 8891, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.47562 > 2.2.2.2.53: [udp sum ok] 6668% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:08.461458 IP (tos 0x0, ttl 48, id 21649, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.28575 > 2.2.2.2.53: [udp sum ok] 53889% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:08.832028 IP (tos 0x0, ttl 45, id 21698, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.42447 > 2.2.2.2.53: [udp sum ok] 9656% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:08.836817 IP (tos 0x0, ttl 46, id 8942, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.17648 > 2.2.2.2.53: [udp sum ok] 63302% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:09.584238 IP (tos 0x0, ttl 46, id 21864, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.37471 > 2.2.2.2.53: [udp sum ok] 45157% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:09.588918 IP (tos 0x0, ttl 48, id 9038, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.64259 > 2.2.2.2.53: [udp sum ok] 20233% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:10.335944 IP (tos 0x0, ttl 45, id 21987, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15244 > 2.2.2.2.53: [udp sum ok] 61763% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:10.340993 IP (tos 0x0, ttl 48, id 9084, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15953 > 2.2.2.2.53: [udp sum ok] 20949% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:11.840205 IP (tos 0x0, ttl 45, id 22178, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.63880 > 2.2.2.2.53: [udp sum ok] 41131% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:11.852745 IP (tos 0x0, ttl 48, id 9402, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.24931 > 2.2.2.2.53: [udp sum ok] 63434% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:12.220039 IP (tos 0x0, ttl 48, id 22181, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.4633 > 2.2.2.2.53: [udp sum ok] 1508% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:12.222155 IP (tos 0x0, ttl 46, id 9465, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.64708 > 2.2.2.2.53: [udp sum ok] 29679% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:12.968136 IP (tos 0x0, ttl 48, id 9485, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55587 > 2.2.2.2.53: [udp sum ok] 25079% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:12.968201 IP (tos 0x0, ttl 48, id 22306, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55822 > 2.2.2.2.53: [udp sum ok] 1859% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:13.720585 IP (tos 0x0, ttl 46, id 9505, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.36609 > 2.2.2.2.53: [udp sum ok] 30633% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:13.725003 IP (tos 0x0, ttl 48, id 22427, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.39205 > 2.2.2.2.53: [udp sum ok] 11465% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:15.228957 IP (tos 0x0, ttl 48, id 22467, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.13718 > 2.2.2.2.53: [udp sum ok] 46192% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:15.229022 IP (tos 0x0, ttl 44, id 9823, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.32944 > 2.2.2.2.53: [udp sum ok] 43262% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:15.600089 IP (tos 0x0, ttl 46, id 22480, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.44585 > 2.2.2.2.53: [udp sum ok] 2364% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:15.614018 IP (tos 0x0, ttl 44, id 9909, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.61728 > 2.2.2.2.53: [udp sum ok] 6743% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:16.352577 IP (tos 0x0, ttl 46, id 22619, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.16635 > 2.2.2.2.53: [udp sum ok] 37271% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:16.366333 IP (tos 0x0, ttl 46, id 9921, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62950 > 2.2.2.2.53: [udp sum ok] 26741% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:17.114315 IP (tos 0x0, ttl 48, id 9998, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.31498 > 2.2.2.2.53: [udp sum ok] 17470% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:17.117309 IP (tos 0x0, ttl 48, id 22708, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.22417 > 2.2.2.2.53: [udp sum ok] 46805% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:18.620973 IP (tos 0x0, ttl 48, id 22746, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.63950 > 2.2.2.2.53: [udp sum ok] 14127% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:18.627931 IP (tos 0x0, ttl 48, id 10144, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.44453 > 2.2.2.2.53: [udp sum ok] 18110% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:18.996987 IP (tos 0x0, ttl 48, id 22753, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.5862 > 2.2.2.2.53: [udp sum ok] 58706% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:18.997299 IP (tos 0x0, ttl 46, id 10235, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.60696 > 2.2.2.2.53: [udp sum ok] 11010% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:19.744452 IP (tos 0x0, ttl 45, id 22920, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.44058 > 2.2.2.2.53: [udp sum ok] 44431% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:19.750943 IP (tos 0x0, ttl 46, id 10404, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.54385 > 2.2.2.2.53: [udp sum ok] 48317% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:20.120054 IP (tos 0x0, ttl 48, id 22939, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.23714 > 2.2.2.2.53: [udp sum ok] 18611% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:20.501732 IP (tos 0x0, ttl 48, id 10524, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62861 > 2.2.2.2.53: [udp sum ok] 9955% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:20.878468 IP (tos 0x0, ttl 45, id 23021, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.25434 > 2.2.2.2.53: [udp sum ok] 21437% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:20.883012 IP (tos 0x0, ttl 46, id 10618, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15420 > 2.2.2.2.53: [udp sum ok] 53758% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:21.253423 IP (tos 0x0, ttl 46, id 10624, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.29299 > 2.2.2.2.53: [udp sum ok] 38119% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:21.624292 IP (tos 0x0, ttl 46, id 23108, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.46230 > 2.2.2.2.53: [udp sum ok] 19754% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:21.631437 IP (tos 0x0, ttl 232, id 54321, offset 0, flags [none], proto UDP (17), length 58)
    1.1.1.1.32953 > 2.2.2.2.53: [no cksum] 13551+ TXT CHAOS? VERSION.BIND. (30)
15:29:22.000781 IP (tos 0x0, ttl 48, id 10721, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.27353 > 2.2.2.2.53: [udp sum ok] 51120% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:22.383103 IP (tos 0x0, ttl 48, id 10799, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.54484 > 2.2.2.2.53: [udp sum ok] 38649% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:23.128455 IP (tos 0x0, ttl 46, id 23398, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.24424 > 2.2.2.2.53: [udp sum ok] 8730% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:23.133773 IP (tos 0x0, ttl 46, id 10911, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.49473 > 2.2.2.2.53: [udp sum ok] 43366% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:23.504241 IP (tos 0x0, ttl 48, id 23426, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.64093 > 2.2.2.2.53: [udp sum ok] 2895% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:23.893446 IP (tos 0x0, ttl 48, id 10920, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.14896 > 2.2.2.2.53: [udp sum ok] 46438% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:24.256592 IP (tos 0x0, ttl 45, id 23519, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.21576 > 2.2.2.2.53: [udp sum ok] 45321% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:25.026590 IP (tos 0x0, ttl 48, id 23669, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56114 > 2.2.2.2.53: [udp sum ok] 52613% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:25.393662 IP (tos 0x0, ttl 44, id 10953, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.39010 > 2.2.2.2.53: [udp sum ok] 34936% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:25.771826 IP (tos 0x0, ttl 46, id 11013, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.59871 > 2.2.2.2.53: [udp sum ok] 34942% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:26.516242 IP (tos 0x0, ttl 46, id 23957, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.64774 > 2.2.2.2.53: [udp sum ok] 6265% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:26.517209 IP (tos 0x0, ttl 45, id 11063, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.22272 > 2.2.2.2.53: [udp sum ok] 57150% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:26.893274 IP (tos 0x0, ttl 46, id 24001, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62161 > 2.2.2.2.53: [udp sum ok] 56594% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:27.268977 IP (tos 0x0, ttl 48, id 11145, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.10729 > 2.2.2.2.53: [udp sum ok] 53329% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:27.644459 IP (tos 0x0, ttl 46, id 24042, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.49675 > 2.2.2.2.53: [udp sum ok] 18828% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:28.401176 IP (tos 0x0, ttl 46, id 24054, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.49976 > 2.2.2.2.53: [udp sum ok] 32129% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:28.772960 IP (tos 0x0, ttl 48, id 11481, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15197 > 2.2.2.2.53: [udp sum ok] 26393% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:29.149379 IP (tos 0x0, ttl 46, id 11568, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.33935 > 2.2.2.2.53: [udp sum ok] 28353% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:29.905369 IP (tos 0x0, ttl 45, id 24235, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55432 > 2.2.2.2.53: [udp sum ok] 8437% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:29.905841 IP (tos 0x0, ttl 48, id 11593, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.50190 > 2.2.2.2.53: [udp sum ok] 47082% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:30.276525 IP (tos 0x0, ttl 46, id 24306, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.46406 > 2.2.2.2.53: [udp sum ok] 37380% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:30.652713 IP (tos 0x0, ttl 48, id 11755, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.9569 > 2.2.2.2.53: [udp sum ok] 42588% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:31.033690 IP (tos 0x0, ttl 46, id 24315, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.41505 > 2.2.2.2.53: [udp sum ok] 44499% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:31.785878 IP (tos 0x0, ttl 48, id 24347, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.39655 > 2.2.2.2.53: [udp sum ok] 46728% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:32.160738 IP (tos 0x0, ttl 46, id 12073, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.26356 > 2.2.2.2.53: [udp sum ok] 59285% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:32.537902 IP (tos 0x0, ttl 48, id 12121, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.37492 > 2.2.2.2.53: [udp sum ok] 46869% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:33.284511 IP (tos 0x0, ttl 46, id 24480, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56175 > 2.2.2.2.53: [udp sum ok] 53321% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:33.289628 IP (tos 0x0, ttl 48, id 12231, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.52902 > 2.2.2.2.53: [udp sum ok] 12527% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:33.661053 IP (tos 0x0, ttl 46, id 24522, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62793 > 2.2.2.2.53: [udp sum ok] 42725% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:34.050857 IP (tos 0x0, ttl 46, id 12403, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.33940 > 2.2.2.2.53: [udp sum ok] 61295% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:34.417384 IP (tos 0x0, ttl 46, id 24582, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.42331 > 2.2.2.2.53: [udp sum ok] 22113% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:35.169727 IP (tos 0x0, ttl 46, id 24624, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.28276 > 2.2.2.2.53: [udp sum ok] 35648% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:35.554936 IP (tos 0x0, ttl 48, id 12576, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.38495 > 2.2.2.2.53: [udp sum ok] 64371% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:35.925715 IP (tos 0x0, ttl 48, id 12579, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.13789 > 2.2.2.2.53: [udp sum ok] 34337% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:36.673077 IP (tos 0x0, ttl 48, id 24746, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.6198 > 2.2.2.2.53: [udp sum ok] 35966% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:36.677078 IP (tos 0x0, ttl 48, id 12666, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.47895 > 2.2.2.2.53: [udp sum ok] 62204% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:37.045497 IP (tos 0x0, ttl 46, id 24808, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.34235 > 2.2.2.2.53: [udp sum ok] 19349% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:37.052928 IP (tos 0x0, ttl 48, id 12704, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62023 > 2.2.2.2.53: [udp sum ok] 37538% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:37.801825 IP (tos 0x0, ttl 45, id 24957, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.46465 > 2.2.2.2.53: [udp sum ok] 62048% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:37.804844 IP (tos 0x0, ttl 48, id 12744, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.4411 > 2.2.2.2.53: [udp sum ok] 10985% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:38.178211 IP (tos 0x0, ttl 48, id 25021, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.38070 > 2.2.2.2.53: [udp sum ok] 17357% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:38.558144 IP (tos 0x0, ttl 48, id 12812, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.53698 > 2.2.2.2.53: [udp sum ok] 7675% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:38.924534 IP (tos 0x0, ttl 46, id 25174, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56096 > 2.2.2.2.53: [udp sum ok] 51886% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:38.937850 IP (tos 0x0, ttl 48, id 12831, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.52532 > 2.2.2.2.53: [udp sum ok] 24230% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:39.314021 IP (tos 0x0, ttl 46, id 12861, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.19105 > 2.2.2.2.53: [udp sum ok] 1275% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:39.680932 IP (tos 0x0, ttl 48, id 25230, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.10862 > 2.2.2.2.53: [udp sum ok] 19487% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:40.058370 IP (tos 0x0, ttl 46, id 25296, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.13133 > 2.2.2.2.53: [udp sum ok] 50269% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:40.062293 IP (tos 0x0, ttl 48, id 12949, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.63587 > 2.2.2.2.53: [udp sum ok] 38232% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:40.428783 IP (tos 0x0, ttl 48, id 25387, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.62857 > 2.2.2.2.53: [udp sum ok] 8425% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:40.443197 IP (tos 0x0, ttl 48, id 13005, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56800 > 2.2.2.2.53: [udp sum ok] 38951% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:41.185551 IP (tos 0x0, ttl 45, id 25465, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.46186 > 2.2.2.2.53: [udp sum ok] 12093% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:41.194437 IP (tos 0x0, ttl 46, id 13136, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55437 > 2.2.2.2.53: [udp sum ok] 5593% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:41.561720 IP (tos 0x0, ttl 45, id 25513, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.10325 > 2.2.2.2.53: [udp sum ok] 61143% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:41.566266 IP (tos 0x0, ttl 48, id 13152, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.64753 > 2.2.2.2.53: [udp sum ok] 254% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:42.308855 IP (tos 0x0, ttl 46, id 25645, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.7098 > 2.2.2.2.53: [udp sum ok] 22256% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:42.317728 IP (tos 0x0, ttl 45, id 13252, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.32823 > 2.2.2.2.53: [udp sum ok] 8440% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:42.684954 IP (tos 0x0, ttl 48, id 25734, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.33701 > 2.2.2.2.53: [udp sum ok] 7361% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:42.697785 IP (tos 0x0, ttl 48, id 13313, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.25140 > 2.2.2.2.53: [udp sum ok] 40056% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:43.441878 IP (tos 0x0, ttl 48, id 25799, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.55608 > 2.2.2.2.53: [udp sum ok] 49188% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:43.451330 IP (tos 0x0, ttl 46, id 13334, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56063 > 2.2.2.2.53: [udp sum ok] 21593% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:43.821548 IP (tos 0x0, ttl 48, id 13356, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.48684 > 2.2.2.2.53: [udp sum ok] 78% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:43.825619 IP (tos 0x0, ttl 45, id 25869, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.35442 > 2.2.2.2.53: [udp sum ok] 43836% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:44.577979 IP (tos 0x0, ttl 48, id 26027, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.45819 > 2.2.2.2.53: [udp sum ok] 30411% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:44.580002 IP (tos 0x0, ttl 45, id 13475, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.17817 > 2.2.2.2.53: [udp sum ok] 56787% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:44.954072 IP (tos 0x0, ttl 45, id 13488, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.18383 > 2.2.2.2.53: [udp sum ok] 44968% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:45.325038 IP (tos 0x0, ttl 46, id 26160, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.10340 > 2.2.2.2.53: [udp sum ok] 58217% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:45.707124 IP (tos 0x0, ttl 46, id 13566, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.31758 > 2.2.2.2.53: [udp sum ok] 354% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:46.088698 IP (tos 0x0, ttl 46, id 13579, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.13825 > 2.2.2.2.53: [udp sum ok] 37563% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:46.833359 IP (tos 0x0, ttl 46, id 13701, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.33153 > 2.2.2.2.53: [udp sum ok] 46361% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:46.833638 IP (tos 0x0, ttl 48, id 26172, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.35339 > 2.2.2.2.53: [udp sum ok] 43458% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:47.210075 IP (tos 0x0, ttl 48, id 26203, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.7699 > 2.2.2.2.53: [udp sum ok] 46536% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:47.214378 IP (tos 0x0, ttl 48, id 13718, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.40609 > 2.2.2.2.53: [udp sum ok] 17477% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:47.957138 IP (tos 0x0, ttl 48, id 26345, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.58066 > 2.2.2.2.53: [udp sum ok] 51813% [1au] A? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:47.961780 IP (tos 0x0, ttl 46, id 13845, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.45060 > 2.2.2.2.53: [udp sum ok] 39980% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:48.333340 IP (tos 0x0, ttl 46, id 26429, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.54005 > 2.2.2.2.53: [udp sum ok] 24767% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:48.345674 IP (tos 0x0, ttl 48, id 13904, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.51209 > 2.2.2.2.53: [udp sum ok] 57992% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:49.089779 IP (tos 0x0, ttl 45, id 13908, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.4428 > 2.2.2.2.53: [udp sum ok] 7725% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:49.089849 IP (tos 0x0, ttl 46, id 26433, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.51085 > 2.2.2.2.53: [udp sum ok] 35336% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:49.465448 IP (tos 0x0, ttl 48, id 26462, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.37722 > 2.2.2.2.53: [udp sum ok] 23342% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:49.466537 IP (tos 0x0, ttl 46, id 13935, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.29515 > 2.2.2.2.53: [udp sum ok] 8884% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:50.213820 IP (tos 0x0, ttl 48, id 26628, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.37186 > 2.2.2.2.53: [udp sum ok] 27592% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:50.217820 IP (tos 0x0, ttl 48, id 14041, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.15433 > 2.2.2.2.53: [udp sum ok] 27017% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:50.594223 IP (tos 0x0, ttl 48, id 26698, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.12374 > 2.2.2.2.53: [udp sum ok] 42096% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:50.598468 IP (tos 0x0, ttl 48, id 14068, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.8896 > 2.2.2.2.53: [udp sum ok] 25641% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:51.341261 IP (tos 0x0, ttl 45, id 26721, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.12994 > 2.2.2.2.53: [udp sum ok] 45957% [1au] AAAA? ns2.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:51.350094 IP (tos 0x0, ttl 46, id 14118, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.58503 > 2.2.2.2.53: [udp sum ok] 36217% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:51.717271 IP (tos 0x0, ttl 46, id 26725, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.7914 > 2.2.2.2.53: [udp sum ok] 15951% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:51.726026 IP (tos 0x0, ttl 46, id 14122, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.48287 > 2.2.2.2.53: [udp sum ok] 50748% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:52.474188 IP (tos 0x0, ttl 48, id 26745, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.6641 > 2.2.2.2.53: [udp sum ok] 4582% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:52.476188 IP (tos 0x0, ttl 46, id 14207, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.37731 > 2.2.2.2.53: [udp sum ok] 4019% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:52.851863 IP (tos 0x0, ttl 46, id 14243, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.25531 > 2.2.2.2.53: [udp sum ok] 46803% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:53.221337 IP (tos 0x0, ttl 48, id 26896, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.18267 > 2.2.2.2.53: [udp sum ok] 22429% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:53.607669 IP (tos 0x0, ttl 45, id 14386, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.56284 > 2.2.2.2.53: [udp sum ok] 31548% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:53.977869 IP (tos 0x0, ttl 48, id 14422, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.25238 > 2.2.2.2.53: [udp sum ok] 63556% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:54.729752 IP (tos 0x0, ttl 48, id 14513, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.60260 > 2.2.2.2.53: [udp sum ok] 50248% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:54.729898 IP (tos 0x0, ttl 48, id 27221, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.52255 > 2.2.2.2.53: [udp sum ok] 28130% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:55.106152 IP (tos 0x0, ttl 48, id 27288, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.18691 > 2.2.2.2.53: [udp sum ok] 44804% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:55.853859 IP (tos 0x0, ttl 46, id 27471, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.57306 > 2.2.2.2.53: [udp sum ok] 28206% [1au] A? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:56.234166 IP (tos 0x0, ttl 48, id 27507, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.4874 > 2.2.2.2.53: [udp sum ok] 9535% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:56.986624 IP (tos 0x0, ttl 48, id 27674, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.21522 > 2.2.2.2.53: [udp sum ok] 36982% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:57.733674 IP (tos 0x0, ttl 48, id 27813, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.50827 > 2.2.2.2.53: [udp sum ok] 49395% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:29:59.243263 IP (tos 0x0, ttl 46, id 27821, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.21162 > 2.2.2.2.53: [udp sum ok] 38628% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
15:29:59.618373 IP (tos 0x0, ttl 46, id 27840, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.11627 > 2.2.2.2.53: [udp sum ok] 7771% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=4096 DO (57)
15:30:00.365454 IP (tos 0x0, ttl 46, id 27990, offset 0, flags [none], proto UDP (17), length 85)
    1.1.1.1.7914 > 2.2.2.2.53: [udp sum ok] 13200% [1au] AAAA? ns1.domain.tld. ar: . OPT UDPsize=1472 DO (57)
q15:31:20.325369 IP (tos 0x0, ttl 42, id 62217, offset 0, flags [none], proto UDP (17), length 81)
    1.1.1.1.58453 > 2.2.2.2.53: [udp sum ok] 35616% [1au] A? domain.tld. ar: . OPT UDPsize=1232 DO (53)
15:31:20.329691 IP (tos 0x0, ttl 64, id 51063, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.58453: [bad udp cksum 0xbb56 -> 0x34db!] 35616 NXDomain*- q: A? domain.tld. 0/0/0 (42)
15:31:20.454543 IP (tos 0x0, ttl 42, id 6449, offset 0, flags [none], proto UDP (17), length 81)
    1.1.1.1.29053 > 2.2.2.2.53: [udp sum ok] 49443% [1au] AAAA? domain.tld. ar: . OPT UDPsize=1232 DO (53)
15:31:20.455028 IP (tos 0x0, ttl 64, id 51070, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.29053: [bad udp cksum 0xbb56 -> 0x7195!] 49443 NXDomain*- q: AAAA? domain.tld. 0/0/0 (42)
15:31:53.739370 IP (tos 0x0, ttl 108, id 7696, offset 0, flags [none], proto UDP (17), length 81)
    1.1.1.1.42799 > 2.2.2.2.53: [udp sum ok] 16068 [1au] MX? domain.tld. ar: . OPT UDPsize=1400 (53)
15:31:53.739892 IP (tos 0x0, ttl 64, id 52486, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.42799: [bad udp cksum 0xbb56 -> 0x9f20!] 16068 NXDomain*- q: MX? domain.tld. 0/0/0 (42)
15:31:53.970869 IP (tos 0x0, ttl 48, id 20199, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.57259 > 2.2.2.2.53: [udp sum ok] 9832 [1au] TXT? _MTA-StS.domain.tld. ar: . OPT UDPsize=1400 (62)
15:31:53.971310 IP (tos 0x0, ttl 64, id 52489, offset 0, flags [DF], proto UDP (17), length 79)
    2.2.2.2.53 > 1.1.1.1.57259: [bad udp cksum 0xbb5f -> 0x52e7!] 9832 NXDomain*- q: TXT? _MTA-StS.domain.tld. 0/0/0 (51)
15:31:59.839880 IP (tos 0x80, ttl 111, id 52352, offset 0, flags [none], proto UDP (17), length 81)
    1.1.1.1.57395 > 2.2.2.2.53: [udp sum ok] 7102 [1au] A? domain.tld. ar: . OPT UDPsize=1400 (53)
15:31:59.840361 IP (tos 0x0, ttl 64, id 53004, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.57395: [bad udp cksum 0xbb56 -> 0xa910!] 7102 NXDomain*- q: A? domain.tld. 0/0/0 (42)
15:33:46.787487 IP (tos 0x0, ttl 233, id 6497, offset 0, flags [DF], proto UDP (17), length 63)
    1.1.1.1.8154 > 2.2.2.2.53: [no cksum] 17767+ [1au] ANY? 1x1.cz. ar: . OPT UDPsize=65535 (35)
15:33:46.789625 IP (tos 0x0, ttl 64, id 56584, offset 0, flags [DF], proto UDP (17), length 52)
    2.2.2.2.53 > 1.1.1.1.8154: [bad udp cksum 0xbb44 -> 0x615a!] 17767 NXDomain*- q: ANY? 1x1.cz. 0/0/0 (24)
15:41:03.028917 IP (tos 0x0, ttl 54, id 32440, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.50042 > 2.2.2.2.53: [udp sum ok] 22702% A? BAakBtxmK0Q8.subdomain.domain.tld. (62)
15:41:03.029483 IP (tos 0x0, ttl 64, id 6735, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.50042: [bad udp cksum 0xbb6a -> 0x6663!] 22702 NXDomain*- q: A? BAakBtxmK0Q8.subdomain.domain.tld. 0/0/0 (62)
15:41:04.095420 IP (tos 0x0, ttl 54, id 56378, offset 0, flags [none], proto UDP (17), length 112)
    1.1.1.1.56472 > 2.2.2.2.53: [udp sum ok] 57351% [1au] A? baaKbtxMK0Q8.subdomain.domain.tld. ar: . OPT UDPsize=1400 DO [ECS 3.3.3.0/24/0] (84)
15:41:04.095838 IP (tos 0x0, ttl 64, id 6832, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.56472: [bad udp cksum 0xbb6a -> 0x066c!] 57351 NXDomain*- q: A? baaKbtxMK0Q8.subdomain.domain.tld. 0/0/0 (62)
15:41:05.138113 IP (tos 0x0, ttl 54, id 25441, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.37935 > 2.2.2.2.53: [udp sum ok] 6999% A? baakBtxMk0q8.subdomain.domain.tld. (62)
15:41:05.138588 IP (tos 0x0, ttl 64, id 6890, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.37935: [bad udp cksum 0xbb6a -> 0xf345!] 6999 NXDomain*- q: A? baakBtxMk0q8.subdomain.domain.tld. 0/0/0 (62)
15:42:06.284413 IP (tos 0x0, ttl 47, id 44770, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.35632 > 2.2.2.2.53: [udp sum ok] 65016% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:42:06.285002 IP (tos 0x0, ttl 64, id 21786, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.35632: [bad udp cksum 0xbb5d -> 0x169b!] 65016 NXDomain*- q: NS? subdomain.domain.tld. 0/0/0 (49)
15:42:06.292725 IP (tos 0x0, ttl 47, id 40942, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.21008 > 2.2.2.2.53: [udp sum ok] 46528% [1au] A? baakbj32r488.subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (73)
15:42:06.293467 IP (tos 0x0, ttl 64, id 21787, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.21008: [bad udp cksum 0xbb6a -> 0x7b11!] 46528 NXDomain*- q: A? baakbj32r488.subdomain.domain.tld. 0/0/0 (62)
15:42:07.340778 IP (tos 0x0, ttl 49, id 35429, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.42433 > 2.2.2.2.53: [udp sum ok] 25749% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:42:07.341341 IP (tos 0x0, ttl 64, id 22004, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.42433: [bad udp cksum 0xbb5d -> 0x956d!] 25749 NXDomain*- q: NS? subdomain.domain.tld. 0/0/0 (49)
15:42:07.349756 IP (tos 0x0, ttl 47, id 28055, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.27099 > 2.2.2.2.53: [udp sum ok] 5504% [1au] A? baakbj32r488.subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (73)
15:42:07.350438 IP (tos 0x0, ttl 64, id 22006, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.27099: [bad udp cksum 0xbb6a -> 0x0387!] 5504 NXDomain*- q: A? baakbj32r488.subdomain.domain.tld. 0/0/0 (62)
15:42:08.407282 IP (tos 0x0, ttl 49, id 272, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.43993 > 2.2.2.2.53: [udp sum ok] 41217% [1au] NS? subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (60)
15:42:08.407811 IP (tos 0x0, ttl 64, id 22199, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.43993: [bad udp cksum 0xbb5d -> 0x52e9!] 41217 NXDomain*- q: NS? subdomain.domain.tld. 0/0/0 (49)
15:42:08.414856 IP (tos 0x0, ttl 49, id 37259, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.16981 > 2.2.2.2.53: [udp sum ok] 36227% [1au] A? baakbj32r488.subdomain.domain.tld. ar: . OPT UDPsize=1410 DO (73)
15:42:08.415479 IP (tos 0x0, ttl 64, id 22201, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.16981: [bad udp cksum 0xbb6a -> 0xb309!] 36227 NXDomain*- q: A? baakbj32r488.subdomain.domain.tld. 0/0/0 (62)

15:43:08.441048 IP (tos 0x80, ttl 117, id 12115, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.58213 > 2.2.2.2.53: [udp sum ok] 32762% A? bAAKbK29m8DA.subdomain.domain.tld. (62)
15:43:08.441560 IP (tos 0x0, ttl 64, id 23860, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.58213: [bad udp cksum 0xbb6a -> 0x4afd!] 32762 NXDomain*- q: A? bAAKbK29m8DA.subdomain.domain.tld. 0/0/0 (62)
15:43:09.485880 IP (tos 0x0, ttl 51, id 35507, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.62105 > 2.2.2.2.53: [udp sum ok] 63466% A? baakBk29m8da.subdomain.domain.tld. (62)
15:43:09.486412 IP (tos 0x0, ttl 64, id 23871, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.62105: [bad udp cksum 0xbb6a -> 0x2438!] 63466 NXDomain*- q: A? baakBk29m8da.subdomain.domain.tld. 0/0/0 (62)
15:43:10.522360 IP (tos 0x80, ttl 117, id 17411, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.62486 > 2.2.2.2.53: [udp sum ok] 53908% A? baaKbK29M8Da.subdomain.domain.tld. (62)
15:43:10.522811 IP (tos 0x0, ttl 64, id 23963, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.62486: [bad udp cksum 0xbb6a -> 0xc851!] 53908 NXDomain*- q: A? baaKbK29M8Da.subdomain.domain.tld. 0/0/0 (62)
15:43:11.566831 IP (tos 0x0, ttl 54, id 2903, offset 0, flags [none], proto UDP (17), length 90)
    1.1.1.1.39752 > 2.2.2.2.53: [udp sum ok] 26386% A? baAKBk29m8Da.subdomain.domain.tld. (62)
15:43:11.567261 IP (tos 0x0, ttl 64, id 24016, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.39752: [bad udp cksum 0xbb6a -> 0xaca2!] 26386 NXDomain*- q: A? baAKBk29m8Da.subdomain.domain.tld. 0/0/0 (62)
15:43:17.418561 IP (tos 0x0, ttl 34, id 42728, offset 0, flags [none], proto UDP (17), length 81)
    1.1.1.1.23418 > 2.2.2.2.53: [udp sum ok] 3226 [1au] A? domain.tld. ar: . OPT UDPsize=512 DO (53)
15:43:17.419220 IP (tos 0x0, ttl 64, id 24058, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.23418: [bad udp cksum 0xbb56 -> 0x3c4d!] 3226 NXDomain*- q: A? domain.tld. 0/0/0 (42)
15:43:36.489930 IP (tos 0x0, ttl 45, id 32675, offset 0, flags [DF], proto UDP (17), length 70)
    1.1.1.1.39248 > 2.2.2.2.53: [udp sum ok] 12307 AAAA? domain.tld. (42)
15:43:36.490464 IP (tos 0x0, ttl 64, id 26647, offset 0, flags [DF], proto UDP (17), length 70)
    2.2.2.2.53 > 1.1.1.1.39248: [bad udp cksum 0xbb56 -> 0xdae2!] 12307 NXDomain*- q: AAAA? domain.tld. 0/0/0 (42)
15:44:11.575513 IP (tos 0x0, ttl 47, id 14735, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.20898 > 2.2.2.2.53: [udp sum ok] 5872% [1au] A? baakbk38w4f8.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:44:11.576209 IP (tos 0x0, ttl 64, id 28109, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.20898: [bad udp cksum 0xbb6a -> 0x131d!] 5872 NXDomain*- q: A? baakbk38w4f8.subdomain.domain.tld. 0/0/0 (62)
15:44:13.647101 IP (tos 0x0, ttl 48, id 20135, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.56601 > 2.2.2.2.53: [udp sum ok] 4761% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:44:13.647737 IP (tos 0x0, ttl 64, id 28367, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.56601: [bad udp cksum 0xbb5d -> 0xd1f2!] 4761 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:44:13.655106 IP (tos 0x0, ttl 48, id 20136, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.30922 > 2.2.2.2.53: [udp sum ok] 63354% [1au] A? BAAKBK38w4f8.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:44:13.655403 IP (tos 0x0, ttl 64, id 28368, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.30922: [bad udp cksum 0xbb6a -> 0x2c8b!] 63354 NXDomain*- q: A? BAAKBK38w4f8.subdomain.domain.tld. 0/0/0 (62)
15:45:14.723486 IP (tos 0x0, ttl 48, id 20137, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.14136 > 2.2.2.2.53: [udp sum ok] 1684% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:45:14.724135 IP (tos 0x0, ttl 64, id 35903, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.14136: [bad udp cksum 0xbb5d -> 0x0439!] 1684 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:45:14.731699 IP (tos 0x0, ttl 48, id 20138, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.62879 > 2.2.2.2.53: [udp sum ok] 2962% [1au] A? BaaKbQDVz24a.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:45:14.731971 IP (tos 0x0, ttl 64, id 35905, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.62879: [bad udp cksum 0xbb6a -> 0x505c!] 2962 NXDomain*- q: A? BaaKbQDVz24a.subdomain.domain.tld. 0/0/0 (62)
15:45:15.770180 IP (tos 0x0, ttl 45, id 14736, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.50583 > 2.2.2.2.53: [udp sum ok] 58385% [1au] A? baakbqdvz24a.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:45:15.770864 IP (tos 0x0, ttl 64, id 35946, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.50583: [bad udp cksum 0xbb6a -> 0x6703!] 58385 NXDomain*- q: A? baakbqdvz24a.subdomain.domain.tld. 0/0/0 (62)
15:45:19.541145 IP (tos 0x0, ttl 231, id 15171, offset 0, flags [DF], proto UDP (17), length 63)
    1.1.1.1.14334 > 2.2.2.2.53: [no cksum] 17767+ [1au] ANY? hcc.nl. ar: . OPT UDPsize=65535 (35)
15:45:19.541669 IP (tos 0x0, ttl 64, id 36053, offset 0, flags [DF], proto UDP (17), length 52)
    2.2.2.2.53 > 1.1.1.1.14334: [bad udp cksum 0xbb44 -> 0x6bc2!] 17767 NXDomain*- q: ANY? hcc.nl. 0/0/0 (24)
15:46:17.864103 IP (tos 0x0, ttl 46, id 14737, offset 0, flags [none], proto UDP (17), length 99)
    1.1.1.1.20780 > 2.2.2.2.53: [udp sum ok] 60874% [1au] A? baakbep44r.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (71)
15:46:17.864966 IP (tos 0x0, ttl 64, id 44517, offset 0, flags [DF], proto UDP (17), length 88)
    2.2.2.2.53 > 1.1.1.1.20780: [bad udp cksum 0xbb68 -> 0x4328!] 60874 NXDomain*- q: A? baakbep44r.subdomain.domain.tld. 0/0/0 (60)
15:46:18.824366 IP (tos 0x0, ttl 48, id 20139, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.54611 > 2.2.2.2.53: [udp sum ok] 13318% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:46:18.824886 IP (tos 0x0, ttl 64, id 44522, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.54611: [bad udp cksum 0xbb5d -> 0x182b!] 13318 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:46:18.832050 IP (tos 0x0, ttl 48, id 20140, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.52599 > 2.2.2.2.53: [udp sum ok] 52897% [1au] A? bAakB5ZTV4da.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:46:18.832345 IP (tos 0x0, ttl 64, id 44523, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.52599: [bad udp cksum 0xbb6a -> 0xf192!] 52897 NXDomain*- q: A? bAakB5ZTV4da.subdomain.domain.tld. 0/0/0 (62)
15:46:19.870909 IP (tos 0x0, ttl 46, id 14738, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.44353 > 2.2.2.2.53: [udp sum ok] 8976% [1au] A? baakb5ztv4da.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:46:19.871634 IP (tos 0x0, ttl 64, id 44677, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.44353: [bad udp cksum 0xbb6a -> 0x7c19!] 8976 NXDomain*- q: A? baakb5ztv4da.subdomain.domain.tld. 0/0/0 (62)
15:47:20.993780 IP (tos 0x0, ttl 46, id 14739, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.18147 > 2.2.2.2.53: [udp sum ok] 33148% [1au] A? baakbcdf0r28.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:47:20.994970 IP (tos 0x0, ttl 64, id 57185, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.18147: [bad udp cksum 0xbb6a -> 0x4f99!] 33148 NXDomain*- q: A? baakbcdf0r28.subdomain.domain.tld. 0/0/0 (62)
15:47:21.941765 IP (tos 0x0, ttl 48, id 20141, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.14544 > 2.2.2.2.53: [udp sum ok] 43722% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:47:21.942216 IP (tos 0x0, ttl 64, id 57409, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.14544: [bad udp cksum 0xbb5d -> 0xbe4a!] 43722 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:47:21.949499 IP (tos 0x0, ttl 45, id 20142, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.34789 > 2.2.2.2.53: [udp sum ok] 64997% [1au] A? BAakBCdF0r28.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:47:21.949967 IP (tos 0x0, ttl 64, id 57411, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.34789: [bad udp cksum 0xbb6a -> 0xd34e!] 64997 NXDomain*- q: A? BAakBCdF0r28.subdomain.domain.tld. 0/0/0 (62)
15:48:24.141745 IP (tos 0x0, ttl 45, id 14740, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.25671 > 2.2.2.2.53: [udp sum ok] 13690% [1au] A? baakb5qera6a.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:48:24.142563 IP (tos 0x0, ttl 64, id 57966, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.25671: [bad udp cksum 0xbb6a -> 0x94e4!] 13690 NXDomain*- q: A? baakb5qera6a.subdomain.domain.tld. 0/0/0 (62)
15:48:27.127910 IP (tos 0x0, ttl 46, id 20143, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.8644 > 2.2.2.2.53: [udp sum ok] 64137% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:48:27.128342 IP (tos 0x0, ttl 64, id 58611, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.8644: [bad udp cksum 0xbb5d -> 0x2597!] 64137 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:48:27.135353 IP (tos 0x0, ttl 46, id 20144, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.54746 > 2.2.2.2.53: [udp sum ok] 30017% [1au] A? bAAkB5QERa6A.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:48:27.135610 IP (tos 0x0, ttl 64, id 58612, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.54746: [bad udp cksum 0xbb6a -> 0x452b!] 30017 NXDomain*- q: A? bAAkB5QERa6A.subdomain.domain.tld. 0/0/0 (62)
15:49:27.267915 IP (tos 0x0, ttl 48, id 14741, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.42137 > 2.2.2.2.53: [udp sum ok] 45523% [1au] A? baakbjxqn2ca.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:49:27.268804 IP (tos 0x0, ttl 64, id 4874, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.42137: [bad udp cksum 0xbb6a -> 0xc608!] 45523 NXDomain*- q: A? baakbjxqn2ca.subdomain.domain.tld. 0/0/0 (62)
15:49:28.301170 IP (tos 0x0, ttl 46, id 20145, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.20223 > 2.2.2.2.53: [udp sum ok] 18294% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:49:28.301616 IP (tos 0x0, ttl 64, id 4996, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.20223: [bad udp cksum 0xbb5d -> 0xab4f!] 18294 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:49:28.308726 IP (tos 0x0, ttl 46, id 20146, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.28379 > 2.2.2.2.53: [udp sum ok] 24290% [1au] A? bAAkBJxQn2CA.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:49:28.309000 IP (tos 0x0, ttl 64, id 4998, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.28379: [bad udp cksum 0xbb6a -> 0x6ff9!] 24290 NXDomain*- q: A? bAAkBJxQn2CA.subdomain.domain.tld. 0/0/0 (62)
15:50:30.410503 IP (tos 0x0, ttl 48, id 20147, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.9036 > 2.2.2.2.53: [udp sum ok] 13957% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:50:30.410946 IP (tos 0x0, ttl 64, id 6796, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.9036: [bad udp cksum 0xbb5d -> 0x27d4!] 13957 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:50:30.417908 IP (tos 0x0, ttl 45, id 20148, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.4760 > 2.2.2.2.53: [udp sum ok] 2477% [1au] A? Baakb82htW5A.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:50:30.418282 IP (tos 0x0, ttl 64, id 6797, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.4760: [bad udp cksum 0xbb6a -> 0x17c0!] 2477 NXDomain*- q: A? Baakb82htW5A.subdomain.domain.tld. 0/0/0 (62)
15:50:31.309909 IP (tos 0x0, ttl 45, id 14742, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.35326 > 2.2.2.2.53: [udp sum ok] 16236% [1au] A? baakb82htw5a.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:50:31.310619 IP (tos 0x0, ttl 64, id 7013, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.35326: [bad udp cksum 0xbb6a -> 0x4979!] 16236 NXDomain*- q: A? baakb82htw5a.subdomain.domain.tld. 0/0/0 (62)
15:51:33.574789 IP (tos 0x0, ttl 48, id 14743, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.56899 > 2.2.2.2.53: [udp sum ok] 14852% [1au] A? baakbwjfk26a.subdomain.domain.tld. ar: . OPT UDPsize=8192 DO (73)
15:51:33.576206 IP (tos 0x0, ttl 64, id 14924, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.56899: [bad udp cksum 0xbb6a -> 0x026c!] 14852 NXDomain*- q: A? baakbwjfk26a.subdomain.domain.tld. 0/0/0 (62)
15:51:34.676641 IP (tos 0x0, ttl 46, id 20149, offset 0, flags [none], proto UDP (17), length 88)
    1.1.1.1.15594 > 2.2.2.2.53: [udp sum ok] 35056% [1au] A? subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (60)
15:51:34.677181 IP (tos 0x0, ttl 64, id 15127, offset 0, flags [DF], proto UDP (17), length 77)
    2.2.2.2.53 > 1.1.1.1.15594: [bad udp cksum 0xbb5d -> 0xbbea!] 35056 NXDomain*- q: A? subdomain.domain.tld. 0/0/0 (49)
15:51:34.684295 IP (tos 0x0, ttl 48, id 20150, offset 0, flags [none], proto UDP (17), length 101)
    1.1.1.1.8062 > 2.2.2.2.53: [udp sum ok] 29946% [1au] A? BaaKBwjfK26a.subdomain.domain.tld. ar: . OPT UDPsize=4096 DO (73)
15:51:34.684649 IP (tos 0x0, ttl 64, id 15128, offset 0, flags [DF], proto UDP (17), length 90)
    2.2.2.2.53 > 1.1.1.1.8062: [bad udp cksum 0xbb6a -> 0xc77c!] 29946 NXDomain*- q: A? BaaKBwjfK26a.subdomain.domain.tld. 0/0/0 (62)

~/.sliver/logs/sliver.log output does not show any DNS related errors:

cat ~/.sliver/logs/sliver.log
DEBU[2023-09-06T20:45:48Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
WARN[2023-09-06T20:45:48Z] [sliver/server/configs/database.go:154] Config file does not exist, using defaults
DEBU[2023-09-06T20:45:48Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-06T20:45:48Z] [sliver/server/configs/database.go:120] Creating config dir /home/kali/.sliver/configs
INFO[2023-09-06T20:45:48Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-06T20:45:48Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-07T00:07:47Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:47Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:07:47Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:47Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
WARN[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:253] Config file does not exist, using defaults
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:48Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
DEBU[2023-09-07T00:07:54Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:54Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:54Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:54Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
DEBU[2023-09-07T00:07:58Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:58Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:07:58Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:07:58Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
DEBU[2023-09-07T00:08:44Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:44Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:08:44Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:44Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-07T00:08:47Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:47Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:08:47Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:47Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-07T00:08:53Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:53Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-07T00:08:53Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:46] Loading config from /home/kali/.sliver/configs/server.json
INFO[2023-09-07T00:08:53Z] [sliver/server/configs/server.go:153] Saving config to /home/kali/.sliver/configs/server.json
DEBU[2023-09-09T14:20:35Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:20:35Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:20:35Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:20:35Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:20:38Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:20:38Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:20:38Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:20:38Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:32:03Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:32:03Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:32:03Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:32:03Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:32:05Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:32:05Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:32:05Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:32:05Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:36:39Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:36:39Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:36:39Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:36:39Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:37:56Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:37:56Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:37:56Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:37:56Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T14:39:17Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:39:17Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T14:39:17Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T14:39:17Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T15:04:38Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:04:38Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T15:04:38Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:04:38Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T15:05:04Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:05:04Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T15:05:04Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:05:04Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?
DEBU[2023-09-09T15:41:41Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:41:41Z] [sliver/server/configs/database.go:56] Loading config from /home/kali/.sliver/configs/database.json
INFO[2023-09-09T15:41:41Z] [sliver/server/configs/database.go:130] Saving config to /home/kali/.sliver/configs/database.json
DEBU[2023-09-09T15:41:41Z] [sliver/server/db/sql_cgo.go:35] sqlite -> file:/home/kali/.sliver/sliver.db?

Debug implant output is:

2023/09/09 11:40:50 sliver.go:95: Hello my name is COMFORTABLE_PRODUCT
2023/09/09 11:40:50 limits.go:58: Limit checks completed
2023/09/09 11:40:50 sliver.go:113: Running in session mode
2023/09/09 11:40:50 session.go:64: Starting interactive session connection loop ...
2023/09/09 11:40:50 transports.go:41: Starting c2 url generator () ...
2023/09/09 11:40:50 transports.go:104: Return generator: (chan *url.URL)(0xc0001827e0)
2023/09/09 11:40:50 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:40:50 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:40:50 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:40:50 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:40:50 session.go:171: Attempting to connect via DNS via parent: subdomain.domain.tld.
2023/09/09 11:40:50 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:40:50 dnsclient.go:150: DNS client connecting to 'subdomain.domain.tld.' (timeout: 5s) ...
2023/09/09 11:40:50 conf_windows.go:77: Possible resolver: 192.168.1.100
2023/09/09 11:40:50 dnsclient.go:295: [dns] found resolvers: [192.168.1.100]
2023/09/09 11:40:50 crypto.go:199: TOTP Code: 21432644
2023/09/09 11:40:50 dnsclient.go:713: [dns] Fetching dns session id via 'baakbk29m8da.subdomain.domain.tld.' ...
2023/09/09 11:40:50 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk29m8da.subdomain.domain.tld. ?
2023/09/09 11:40:50 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 43.8436ms (err: <nil>)
2023/09/09 11:40:50 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:40:50 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:40:51 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk29m8da.subdomain.domain.tld. ?
2023/09/09 11:40:51 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 16.2017ms (err: <nil>)
2023/09/09 11:40:51 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:40:51 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:40:52 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk29m8da.subdomain.domain.tld. ?
2023/09/09 11:40:52 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 31.5072ms (err: <nil>)
2023/09/09 11:40:52 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:40:52 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:40:53 sliver.go:152: [session] failed to establish connection: invalid rcode
2023/09/09 11:40:53 sliver.go:132: Reconnect sleep: 1m0s
2023/09/09 11:41:53 session.go:171: Attempting to connect via DNS via parent: subdomain.domain.tld.
2023/09/09 11:41:53 dnsclient.go:150: DNS client connecting to 'subdomain.domain.tld.' (timeout: 5s) ...
2023/09/09 11:41:53 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:41:53 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:41:53 conf_windows.go:77: Possible resolver: 192.168.1.100
2023/09/09 11:41:53 dnsclient.go:295: [dns] found resolvers: [192.168.1.100]
2023/09/09 11:41:53 crypto.go:199: TOTP Code: 41461828
2023/09/09 11:41:53 dnsclient.go:713: [dns] Fetching dns session id via 'baakbk38w4f8.subdomain.domain.tld.' ...
2023/09/09 11:41:53 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk38w4f8.subdomain.domain.tld. ?
2023/09/09 11:41:53 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 26.4167ms (err: <nil>)
2023/09/09 11:41:53 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:41:53 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:41:54 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk38w4f8.subdomain.domain.tld. ?
2023/09/09 11:41:54 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 20.2936ms (err: <nil>)
2023/09/09 11:41:54 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:41:54 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:41:55 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbk38w4f8.subdomain.domain.tld. ?
2023/09/09 11:41:55 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 14.8285ms (err: <nil>)
2023/09/09 11:41:55 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:41:55 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:41:56 sliver.go:152: [session] failed to establish connection: invalid rcode
2023/09/09 11:41:56 sliver.go:132: Reconnect sleep: 1m0s
2023/09/09 11:42:56 session.go:171: Attempting to connect via DNS via parent: subdomain.domain.tld.
2023/09/09 11:42:56 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:42:56 dnsclient.go:150: DNS client connecting to 'subdomain.domain.tld.' (timeout: 5s) ...
2023/09/09 11:42:56 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:42:56 conf_windows.go:77: Possible resolver: 192.168.1.100
2023/09/09 11:42:56 dnsclient.go:295: [dns] found resolvers: [192.168.1.100]
2023/09/09 11:42:56 crypto.go:199: TOTP Code: 35544540
2023/09/09 11:42:56 dnsclient.go:713: [dns] Fetching dns session id via 'baakbqdvz24a.subdomain.domain.tld.' ...
2023/09/09 11:42:56 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbqdvz24a.subdomain.domain.tld. ?
2023/09/09 11:42:56 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 36.4939ms (err: <nil>)
2023/09/09 11:42:56 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:42:56 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:42:57 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbqdvz24a.subdomain.domain.tld. ?
2023/09/09 11:42:57 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 18.8977ms (err: <nil>)
2023/09/09 11:42:57 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:42:57 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:42:58 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbqdvz24a.subdomain.domain.tld. ?
2023/09/09 11:42:58 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 16.2167ms (err: <nil>)
2023/09/09 11:42:58 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:42:58 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:42:59 sliver.go:152: [session] failed to establish connection: invalid rcode
2023/09/09 11:42:59 sliver.go:132: Reconnect sleep: 1m0s
2023/09/09 11:43:59 session.go:171: Attempting to connect via DNS via parent: subdomain.domain.tld.
2023/09/09 11:43:59 dnsclient.go:150: DNS client connecting to 'subdomain.domain.tld.' (timeout: 5s) ...
2023/09/09 11:43:59 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:43:59 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:43:59 conf_windows.go:77: Possible resolver: 192.168.1.100
2023/09/09 11:43:59 dnsclient.go:295: [dns] found resolvers: [192.168.1.100]
2023/09/09 11:43:59 crypto.go:199: TOTP Code: 01156126
2023/09/09 11:43:59 dnsclient.go:713: [dns] Fetching dns session id via 'baakbep44r.subdomain.domain.tld.' ...
2023/09/09 11:43:59 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbep44r.subdomain.domain.tld. ?
2023/09/09 11:43:59 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 23.8265ms (err: <nil>)
2023/09/09 11:43:59 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:43:59 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:44:00 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbep44r.subdomain.domain.tld. ?
2023/09/09 11:44:00 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 1.0854ms (err: <nil>)
2023/09/09 11:44:00 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:44:00 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:44:01 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbep44r.subdomain.domain.tld. ?
2023/09/09 11:44:01 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 16.747ms (err: <nil>)
2023/09/09 11:44:01 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:44:01 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:44:02 sliver.go:152: [session] failed to establish connection: invalid rcode
2023/09/09 11:44:02 sliver.go:132: Reconnect sleep: 1m0s
2023/09/09 11:45:02 session.go:171: Attempting to connect via DNS via parent: subdomain.domain.tld.
2023/09/09 11:45:02 dnsclient.go:150: DNS client connecting to 'subdomain.domain.tld.' (timeout: 5s) ...
2023/09/09 11:45:02 session.go:81: Next CC = dns://subdomain.domain.tld.
2023/09/09 11:45:02 transports.go:92: Yield c2 uri = 'dns://subdomain.domain.tld.'
2023/09/09 11:45:02 conf_windows.go:77: Possible resolver: 192.168.1.100
2023/09/09 11:45:02 dnsclient.go:295: [dns] found resolvers: [192.168.1.100]
2023/09/09 11:45:02 crypto.go:199: TOTP Code: 19502220
2023/09/09 11:45:02 dnsclient.go:713: [dns] Fetching dns session id via 'baakbcdf0r28.subdomain.domain.tld.' ...
2023/09/09 11:45:02 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbcdf0r28.subdomain.domain.tld. ?
2023/09/09 11:45:02 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 24.9774ms (err: <nil>)
2023/09/09 11:45:02 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:45:02 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:45:03 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbcdf0r28.subdomain.domain.tld. ?
2023/09/09 11:45:03 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 16.7757ms (err: <nil>)
2023/09/09 11:45:03 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:45:03 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:45:04 resolver-generic.go:92: [dns] 192.168.1.100:53->A record of baakbcdf0r28.subdomain.domain.tld. ?
2023/09/09 11:45:04 resolver-generic.go:175: [dns] rtt->192.168.1.100:53 16.2356ms (err: <nil>)
2023/09/09 11:45:04 resolver-generic.go:100: [dns] error response status: 3
2023/09/09 11:45:04 resolver-generic.go:83: [dns] query error: invalid rcode (retry wait: 1s)
2023/09/09 11:45:05 sliver.go:152: [session] failed to establish connection: invalid rcode
2023/09/09 11:45:05 sliver.go:132: Reconnect sleep: 1m0s
Moondog85 commented 8 months ago

Hello, I installed sliver c2 but now I'm having the " connection to server failed context deadline exceeded. I'm fairly new to linux. I've created the new install.sh per N00BIER. Then gave it the a+rwx permissions. Do I need to remove the old sliver before running the install.sh?

I'm able to connect to sliver-server I create a new-operator, start multiplayer. Then import the cfg file. But when I start sliver-client and select the operator I get the "context deadline exceeded" error.

moloch-- commented 8 months ago

@Moondog85 that likely means the daemon isn't running, but is unrelated to this issue.

Paradoxis commented 8 months ago

Is there any progress regarding tracking down the root cause of this issue? I'd love to take a stab at it and see what I could do to help, given that downgrading isn't a feasible option for me since I don't want to put anyone at risk by installing a vulnerable version

moloch-- commented 8 months ago

I updated the key exchange, the issue now is that the initial message is too long for the old encoding mechanism. There's also a bug where base32 is improperly detected as base58 causing corruption of the channel. The latter is actually unrelated but I discovered it while debugging the key exchange.

I should be able to return to working on Sliver updates fairly soon, just putting the final touches on the internal project I've been working on over the summer.

miszr commented 5 months ago

Just created PR #1573, which should fix the issue.

moloch-- commented 4 months ago

Fixed in v1.5.42 thanks @miszr !