My log's got hundreds of those alerts: is this something to worry about or ?
Tia.
Assuming this is a reliable metric that ".cc" domain means "command & control" for botnet operations then yes. ;)
All kidding aside, this is from namecheap:
Quote.CC Domains
If you own a country club, conference center, or consulting company, Cocos (Keeling) Islands' domain name is for you.
While .cc can be short for many things, it's also a good generic extension to consider when the domain name you want is already registered in another extension.
Probably, much like ".to" these domain types do not have much daily relevance and may be used for nefarious purposes with a higher ration than more common domains. But that is just statistics...
https://doc.emergingthreats.net/bin/view/Main/2027757
Reading up on ".to" it says that there is no open registry of domain ownership and there are a few others, not sure if ".cc" is one of them.
https://en.wikipedia.org/wiki/.to
Cheers,
Franco
I see similar .to and .cc TLD domain queries on port 53 in my IDS logs too, from some of the devices on my home network. Maybe not hundreds, but some.
I'm wondering why I see them at all if I have configured Unbound to forward all DNS queries over TLS using port 853.
Is there an explanation on why those are not using port 853? (Maybe this is an Unbound question)
Thanks!
Indeed, I also use DoT and was expecting to see port 853 and not 53, but I'm not a networking-savvy person. so don't know if that's the way it should work or not... :P
E.g. I have a standard browser tab with dict.cc, so every time I open my browser, I get such an alarm. But as my setup allows only the IP of the firewall to be reached via port 53, the target IP is always the router... ;-)
Actually, on further review that is correct -- I see these TLD alerts on port 53 and the destination is the router, which is running unbound and presumably forwarding these requests over 853 via DoT.
Still, I don't know what apps on these devices (laptops and desktops) need to access something on a ".to" domain. Is there a way to find out what makes this query? Or, if it is malware?
Other posts seem to say that the best solution is to use a DNS with malware protection like Quad9 or Cloudflare's special DNS. I'd like to know what it is first.
Services -> Intrusion Detection -> Administration -> Alerts
...and then click on the pen to the very right side of the table, column "Info"...
Please report back ;-)
PS: wife in home office produces a lot of
ET TROJAN Infostealer.Banprox Proxy.pac Download
:-D
Thanks, I'm aware of the info popup, but it doesn't tell me anything about the source of the ".to" request other than the IP address of the laptop, which is already in the list view of the report.
I'd like to know which app, site, or service is making that request.