These look very much like NSEC3 hashed names. Those are based on your actual subdomains, but are only used for DNSSEC proofs of nonexistence, and don't have any other record types besides NSEC3 (and RRSIG).
It's probably possible to match each hash to its original name provided that you have access to the entire zone anyway, but apparently there are tools in the wild which just bruteforce the hashes blindly.
The earlier designs (NXT and NSEC) form a chain of plaintext domain names, e.g. aaa.example.com
has the regular records plus a NSEC record pointing to bbb.example.com
.
The signature of that record proves that there aren't any domains in between aaa
and bbb
, so the resolver can be sure that a NXDOMAIN reply is not fake. (Remember that one of the original DNSSEC goals was to allow offline signing of the zone, so that the servers could provide such proof without needing access to the signing keys.)
However, it's very simple to "walk" the entire chain from start to end, and learn all domain names even if you have disabled zone transfers. Some domain operators consider it a security problem. For that reason NSEC3 was invented which instead uses hashed names.
(Though pre-signed NSEC3 still has its own problems and might eventually be replaced with either NSEC3 "White lies" or NSEC5, both which seem to use a different approach involving individually signed responses.)