One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.

That randomness is doing a lot of work.

Across a handful of runs we saw clients touching:

- Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)
- Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)
- Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants
- Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants
- Autodiscover for named orgs (useful for pre‑populating phish kits)
- ~150 banking domains, globally distributed

All from a page load. No content fetched, just "harmless" handshakes.

What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:
- A spray of client IPs into sensitive identity and gov endpoints
- Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")
- Occasional redirects into less friendly corners of the web, courtesy of the long tail

The stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.

It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel