Security

Reply
Highlighted

Weird characters in Infoblox DNS firewall logs

PExaminer
Techie
Posts: 2
1976     0

Hi,

 

Can anyone shed light on whether the below DNS query recorded in the Infoblox logs is triggered from a malicious system or is benign? Thanks.

 

[DATETIMESTAMP] Infoblox X.X.X.X analytics: DNS Tunneling detected: Domain name [LOCALDOMAIN] has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: X.X.X.X to domain [LOCALDOMAIN]. The likelihood of the detection is 0.9999736635955486. Trigger 1 of 4 : {"timestamp":"YYYY-MM-DDTHH:MMSmiley FrustratedS","qName":"\\226\\181\\177\\226\\181\\172\\226\\181\\183\\227\\187\\226\\180\\176\\226\\175\\226\\180\\176\\227...","qType":"A","rData":null,"ttl":0,"delay":9223372036854775807

 

PEX

Re: Weird characters in Infoblox DNS firewall logs

Adviser
Posts: 70
1977     0

Hi,

 

The logs seen here show that DNS tunneling traffic was detected by Infoblox Threat Insight.

 

DNS tunneling refers to a method of exfiltrating sensitive data from secured networks via the DNS port. That being said, DNS tunneling is also used by legitimate applications in certain scenarios. 

 

DNS tunneling requires a domain name whose registered NS records would point to malicious name servers. Hence the queries would follow the normal path of name resolution and would hit the malicious name servers. Sensitive data is encapsulated in these DNS queries and thus reaches the intended name servers.

 

The Infoblox Threat Insight, based on the configuration, can identify DNS tunneling traffic using Infoblox proprietary algorithms and add the associated domain name to a local response policy zone to be blocked.

 

The ideal thing to do in this scenario would be to investigate the domain name and client IP address detected, to identify if the traffic is from a legitimate source. If the traffic is identified as legitimate, you can add the domain name to a whitelist response policy zone to  bypass the traffic.

 

For more information, please refer to the section "Infoblox Threat Insight " in the NIOS Administrator Guide.

 

Regards,

Sandeep

Re: Weird characters in Infoblox DNS firewall logs

PExaminer
Techie
Posts: 2
1977     0

Hi Sandeep,

 

Thanks for responding. I was starting to think that I am never going to get a response back.

 

Would you be able to elaborate further on how DNS tunneling is being used by legitimate applications in certain scenarios and some examples of these?

 

In our case, the queries were sent to weird characters in the hostname (which can't seem to be resolved in any of the extended language character sets of korean, japanese, chinese, etc) with corresponding domain name belonging to my organisation. Even if the extended character sets do resolve, it would be attempting to communicate with a FQDN that resides internally within the organisation. 

 

I can't think of a malicious intent in terms of TTP for it. However, what could be a legitimate cause for it? Thanks.

 

PExaminer

Showing results for 
Search instead for 
Do you mean 

Recommended for You