Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Investigating an Odd DNS Query

Published: 2019-05-23
Last Updated: 2019-05-23 17:00:31 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

I have been asked this question a few times, and figure it may be worthwhile to document this in a quick diary. This is typically the result of watching for odd DNS queries (and I highly recommend that). But not all DNS queries are created equal, and sometimes you will see odd, or even malicious, hostnames and domain names in your logs without any wrongdoing on your end.

The latest example I just ran into: . IR being the country level domain for Iran, and I am currently not doing business with Iran, which certainly makes this a bit suspect if it bubbles up to the top of the "odd domain list".

The queries for this domain came in at a rate of 100-150/5min in my Zeek logs:

Next, let's break down all the queries for the "" domain

You can click on the image to get a larger view. But the queries are essentially A/AAAA queries for ns[1-4] To add to this: they all came from my DNS server. Now the DNS server's query log would usually be my next step. But in this case, the query log does not show any queries for * I also didn't see any queries from any of my hosts to the name server for * . The reason for these queries was that a prior query returned these hostnames as authority records. This triggered my name server to do a lookup for these hostnames. So I need to search for answers that contain

It turned out that a prior reverse lookup by the mail servers spam filter returned the authority record, and as a result, the name server then kept looking for ns[1-4] So why did the mail server try to reverse resolve the IP address over and over? My first guess was spam, but it turned out to be a brute force attack against the server:

May 23 16:47:35 mail postfix/smtpd[3420]: connect from unknown[] May 23 16:47:42 mail postfix/smtpd[3420]: warning: unknown[]: SASL LOGIN authentication failed: authentication failure May 23 16:47:42 mail postfix/smtpd[3420]: disconnect from unknown[] May 23 16:47:58 mail postfix/smtpd[3420]: connect from unknown[] May 23 16:48:05 mail postfix/smtpd[3420]: warning: unknown[]: SASL LOGIN authentication failed: authentication failure May 23 16:48:05 mail postfix/smtpd[3420]: disconnect from unknown[]

So at least not entirely a "false positive", but also not terribly exciting. Mail servers are probably the main source of odd DNS queries. They tend to do a lot of reverse lookups for anti-spam, and they also use various DNS based anti-spam and email validation features that often look very much like data exfiltration. You will also see a lot of less common record types in DNS queries from mail servers (TXT, SPF..).

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]
May 22nd 2019
2 days ago by Johannes (2 comments)

Using Shodan Monitoring
May 21st 2019
4 days ago by Tom (4 comments)

CVE-2019-0604 Attack
May 20th 2019
5 days ago by Tom (1 comment)

Is Metadata Only Approach, Good Enough for Network Traffic Analysis?
May 19th 2019
6 days ago by Guy (0 comments)

View All Diaries →

Latest Discussions

McAfee - Trenmicro - Symantec Breached by Fxmsp hackers
created May 14th 2019
1 week ago by DrGreen (0 replies)

Domain registration date plugin for email?
created Mar 30th 2019
1 month ago by Anonymous (1 reply)

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
3 months ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
3 months ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
3 months ago by Russell (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)