They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the changes you’ve made, it’s super high. People are looking for DNS servers like that.
On the contrary, the reponse packets are tiny.
$ host -t txt comcast.net.contacts.abuse.net comcast.net.contacts.abuse.net descriptive text "abuse@comcast.net"
$ host -t hinfo comcast.net.contacts.abuse.net comcast.net.contacts.abuse.net host information "lookup" "comcast.net"
Those reply packets are 108 and 109 bytes, no addditional section, no DNSSSEC, no nothing. Any other ideas? One clue is that the queries have random capitalization which would be consistent with them really coming from Google.
Every once in a while someone decides to look up every domain in the world and DoS'es it until I update my packet filters. This week it's been this set of IPs that belong to Google. I don't think they're 8.8.8.8. Any idea what they are? Random Google Cloud customers? A secret DNS mapping project?
172.253.1.133 172.253.206.36 172.253.1.130 172.253.206.37 172.253.13.196 172.253.255.36 172.253.13.197 172.253.1.131 172.253.255.35 172.253.255.37 172.253.1.132 172.253.13.193 172.253.1.129 172.253.255.33 172.253.206.35 172.253.255.34 172.253.206.33 172.253.206.34 172.253.13.194 172.253.13.195 172.71.125.63 172.71.117.60 172.71.133.51