- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Weird characters in Infoblox DNS firewall logs
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-05-2018 12:15 AM
Hi,
Can anyone shed light on whether the below DNS query recorded in the Infoblox logs is triggered from a malicious system or is benign? Thanks.
[DATETIMESTAMP] Infoblox X.X.X.X analytics: DNS Tunneling detected: Domain name [LOCALDOMAIN] has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: X.X.X.X to domain [LOCALDOMAIN]. The likelihood of the detection is 0.9999736635955486. Trigger 1 of 4 : {"timestamp":"YYYY-MM-DDTHH:MMS","qName":"\\226\\181\\177\\226\\181\\172\\226\\181\\183\\227\\187\\226\\180\\176\\226\\175\\226\\180\\176\\227...","qType":"A","rData":null,"ttl":0,"delay":9223372036854775807
PEX
Re: Weird characters in Infoblox DNS firewall logs
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-30-2018 07:11 AM
Hi,
The logs seen here show that DNS tunneling traffic was detected by Infoblox Threat Insight.
DNS tunneling refers to a method of exfiltrating sensitive data from secured networks via the DNS port. That being said, DNS tunneling is also used by legitimate applications in certain scenarios.
DNS tunneling requires a domain name whose registered NS records would point to malicious name servers. Hence the queries would follow the normal path of name resolution and would hit the malicious name servers. Sensitive data is encapsulated in these DNS queries and thus reaches the intended name servers.
The Infoblox Threat Insight, based on the configuration, can identify DNS tunneling traffic using Infoblox proprietary algorithms and add the associated domain name to a local response policy zone to be blocked.
The ideal thing to do in this scenario would be to investigate the domain name and client IP address detected, to identify if the traffic is from a legitimate source. If the traffic is identified as legitimate, you can add the domain name to a whitelist response policy zone to bypass the traffic.
For more information, please refer to the section "Infoblox Threat Insight " in the NIOS Administrator Guide.
Regards,
Sandeep
Re: Weird characters in Infoblox DNS firewall logs
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-04-2018 09:17 PM
Hi Sandeep,
Thanks for responding. I was starting to think that I am never going to get a response back.
Would you be able to elaborate further on how DNS tunneling is being used by legitimate applications in certain scenarios and some examples of these?
In our case, the queries were sent to weird characters in the hostname (which can't seem to be resolved in any of the extended language character sets of korean, japanese, chinese, etc) with corresponding domain name belonging to my organisation. Even if the extended character sets do resolve, it would be attempting to communicate with a FQDN that resides internally within the organisation.
I can't think of a malicious intent in terms of TTP for it. However, what could be a legitimate cause for it? Thanks.
PExaminer