Security

Reply

Weird characters in Infoblox DNS firewall logs
PExaminer
PExaminer
Techie
Posts: 2

‎11-05-2018 12:15 AM

3010     0

Hi,

 

Can anyone shed light on whether the below DNS query recorded in the Infoblox logs is triggered from a malicious system or is benign? Thanks.

 

[DATETIMESTAMP] Infoblox X.X.X.X analytics: DNS Tunneling detected: Domain name [LOCALDOMAIN] has been detected with tunneling activity. The analytics classification was triggered by 4 queries from client IP: X.X.X.X to domain [LOCALDOMAIN]. The likelihood of the detection is 0.9999736635955486. Trigger 1 of 4 : {"timestamp":"YYYY-MM-DDTHH:MMSmiley FrustratedS","qName":"\\226\\181\\177\\226\\181\\172\\226\\181\\183\\227\\187\\226\\180\\176\\226\\175\\226\\180\\176\\227...","qType":"A","rData":null,"ttl":0,"delay":9223372036854775807

 

PEX

Labels:
Reply
0 Kudos

Re: Weird characters in Infoblox DNS firewall logs
SRenjith
Adviser
Posts: 70

‎11-30-2018 07:11 AM

3010     0

Hi,

 

The logs seen here show that DNS tunneling traffic was detected by Infoblox Threat Insight.

 

DNS tunneling refers to a method of exfiltrating sensitive data from secured networks via the DNS port. That being said, DNS tunneling is also used by legitimate applications in certain scenarios. 

 

DNS tunneling requires a domain name whose registered NS records would point to malicious name servers. Hence the queries would follow the normal path of name resolution and would hit the malicious name servers. Sensitive data is encapsulated in these DNS queries and thus reaches the intended name servers.

 

The Infoblox Threat Insight, based on the configuration, can identify DNS tunneling traffic using Infoblox proprietary algorithms and add the associated domain name to a local response policy zone to be blocked.

 

The ideal thing to do in this scenario would be to investigate the domain name and client IP address detected, to identify if the traffic is from a legitimate source. If the traffic is identified as legitimate, you can add the domain name to a whitelist response policy zone to  bypass the traffic.

 

For more information, please refer to the section "Infoblox Threat Insight " in the NIOS Administrator Guide.

 

Regards,

Sandeep

Reply
0 Kudos
Highlighted

Re: Weird characters in Infoblox DNS firewall logs
PExaminer
PExaminer
Techie
Posts: 2

‎12-04-2018 09:17 PM

3010     0

Hi Sandeep,

 

Thanks for responding. I was starting to think that I am never going to get a response back.

 

Would you be able to elaborate further on how DNS tunneling is being used by legitimate applications in certain scenarios and some examples of these?

 

In our case, the queries were sent to weird characters in the hostname (which can't seem to be resolved in any of the extended language character sets of korean, japanese, chinese, etc) with corresponding domain name belonging to my organisation. Even if the extended character sets do resolve, it would be attempting to communicate with a FQDN that resides internally within the organisation. 

 

I can't think of a malicious intent in terms of TTP for it. However, what could be a legitimate cause for it? Thanks.

 

PExaminer

Reply
0 Kudos
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Do you mean 

Recommended for You

Latest Annoucements

Infolbox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community