Hi,

The logs seen here show that DNS tunneling traffic was detected by Infoblox Threat Insight.

DNS tunneling refers to a method of exfiltrating sensitive data from secured networks via the DNS port. That being said, DNS tunneling is also used by legitimate applications in certain scenarios. 

DNS tunneling requires a domain name whose registered NS records would point to malicious name servers. Hence the queries would follow the normal path of name resolution and would hit the malicious name servers. Sensitive data is encapsulated in these DNS queries and thus reaches the intended name servers.

The Infoblox Threat Insight, based on the configuration, can identify DNS tunneling traffic using Infoblox proprietary algorithms and add the associated domain name to a local response policy zone to be blocked.

The ideal thing to do in this scenario would be to investigate the domain name and client IP address detected, to identify if the traffic is from a legitimate source. If the traffic is identified as legitimate, you can add the domain name to a whitelist response policy zone to  bypass the traffic.

For more information, please refer to the section "Infoblox Threat Insight " in the NIOS Administrator Guide.

Regards,

Sandeep

Hi Sandeep,

Thanks for responding. I was starting to think that I am never going to get a response back.

Would you be able to elaborate further on how DNS tunneling is being used by legitimate applications in certain scenarios and some examples of these?

In our case, the queries were sent to weird characters in the hostname (which can't seem to be resolved in any of the extended language character sets of korean, japanese, chinese, etc) with corresponding domain name belonging to my organisation. Even if the extended character sets do resolve, it would be attempting to communicate with a FQDN that resides internally within the organisation. 

I can't think of a malicious intent in terms of TTP for it. However, what could be a legitimate cause for it? Thanks.

PExaminer