DNS ANY Request Cannon Activity in DNS Query Packet Traffic

We statistically investigated the total ANY resource record (RR) based DNS query request packet traffic from the Internet to the top domain DNS server in a university campus network through January 1st, 2011 to December 31st, 2012. The obtained results are: (1) We found a significant increase in the inbound ANY RR based DNS query request traffic at November 28th, 2011. (2) In the DNS query request packet traffic, we observed only a query keyword of the campus domain name. (3) We found a correlation between the total inbound DNS query request packet traffic and the DNS query request packet traffic including the query keyword. (4) Also, we carried out the loading test sending ANY, A, and PTR RR unique DNS queries to a test DNS server, we observed no difference among the vmstat parameters, and the load value was 0.10-0.20. These results indicate that the ANY RR based DNS request packet traffic is quite strange. However, it should be meaningless activity.