Muddling Meerkat Poses Nation-State DNS Mystery

Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to Chinas government-run firewall using open DNS resolvers and mail records to communicate.
The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating Chinas Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.
While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.
The goal of the capability remains unclear — most likely its for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.
We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS, Burton says. So we have something that has been going on for four and a half years at this point, which isnt observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome.
The threat research comes as the governments of the United States and other nations have
warned that Chinas military has infiltrated critical infrastructure networks
with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups expertise in
finding and exploiting zero-days in edge devices
such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.
The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an operator on the side that issues a response that competes with any packet from the original intended destination, says Burton.
While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination,
she wrote in the report
.
In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS, the report said. Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy.
Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.
Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as pq5bo[.]kb[.]com and uff0h[.]kb[.]com.
The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and super-aged domains that foil many DNS block lists, says Burton.
Its super under the radar, right? So thats kind of a recon-y looking thing, she says. The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here theyve positioned themselves in DNS in a really weird way.
Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that
China is pre-positioning itself inside other organizations infrastructures
, Infoblox decide to go public with what the company and its anonymous partners had discovered.
Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some slow drip DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.
I dont believe theres anyone who can see this operation in totality, she says. Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Muddling Meerkat Poses Nation-State DNS Mystery