Print Page - Indicator of compromise? Abnormal DNS requests...

Title: Indicator of compromise? Abnormal DNS requests...
Post by: s0nic on August 31, 2021, 09:57:22 PM

I have enabled the DNS logging in unbound and I see requests that I would normaly assign to an IOC:

2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 noikwpgdnmdoz.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN

Notes

No client has requested these addresses.
10.10.10.254 = OpnSense LAN Interface
kaki = local domain (intranet) eg. server01.kaki
Only OpenVPN is offered via the WAN interface. No other ports have been opened on the WAN interface so far.
Only the following packages differ from the default installation:
- os-etpro-telemetry (installed)
- os-sensei (installed)
- os-sunnyvalley (installed)

I've some questions:

Why does OpnSense use its LAN address for internal / its own DNS queries?
---> I also see other requests from OpnSense with 127.0.0.1, so why is it using 10.10.10.254?
What damn package or function is trying to resolve these domains here?
If it is a client, he must have spoofed the firewall LAN IP... but then... why does he ask for the domains without TLD?

Title: Re: Indicator of compromise? Abnormal DNS requests...
Post by: Greelan on September 01, 2021, 12:04:31 AM

Chromium-based browsers running DNS tests: https://www.zdnet.com/article/chromium-dns-hijacking-detection-accused-of-being-around-half-of-all-root-queries/

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: s0nic on August 31, 2021, 09:57:22 PM