DNS entries in my log

Started by hushcoden, July 31, 2020, 01:39:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 31, 2020, 01:39:15 PM
My log's got hundreds of those alerts: is this something to worry about or ?

Tia.
July 31, 2020, 05:23:34 PM #1
Assuming this is a reliable metric that ".cc" domain means "command & control" for botnet operations then yes. ;)

All kidding aside, this is from namecheap:

Quote.CC Domains
If you own a country club, conference center, or consulting company, Cocos (Keeling) Islands' domain name is for you.
While .cc can be short for many things, it's also a good generic extension to consider when the domain name you want is already registered in another extension.

Probably, much like ".to" these domain types do not have much daily relevance and may be used for nefarious purposes with a higher ration than more common domains. But that is just statistics...

https://doc.emergingthreats.net/bin/view/Main/2027757

Reading up on ".to" it says that there is no open registry of domain ownership and there are a few others, not sure if ".cc" is one of them.

https://en.wikipedia.org/wiki/.to


Cheers,
Franco
September 04, 2020, 12:51:46 AM #2
I see similar .to and .cc TLD domain queries on port 53 in my IDS logs too, from some of the devices on my home network.  Maybe not hundreds, but some.

I'm wondering why I see them at all if I have configured Unbound to forward all DNS queries over TLS using port 853.

Is there an explanation on why those are not using port 853?  (Maybe this is an Unbound question)

Thanks!
September 04, 2020, 11:14:39 AM #3
Indeed, I also use DoT and was expecting to see port 853 and not 53, but I'm not a networking-savvy person. so don't know if that's the way it should work or not...  :P
September 04, 2020, 11:31:29 AM #4
E.g. I have a standard browser tab with dict.cc, so every time I open my browser, I get such an alarm. But as my setup allows only the IP of the firewall to be reached via port 53, the target IP is always the router... ;-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
September 04, 2020, 01:33:57 PM #5
Actually, on further review that is correct -- I see these TLD alerts on port 53 and the destination is the router, which is running unbound and presumably forwarding these requests over 853 via DoT.

Still, I don't know what apps on these devices (laptops and desktops) need to access something on a ".to" domain.  Is there a way to find out what makes this query?  Or, if it is malware?

Other posts seem to say that the best solution is to use a DNS with malware protection like Quad9 or Cloudflare's special DNS.  I'd like to know what it is first.
September 04, 2020, 02:03:25 PM #6 Last Edit: September 04, 2020, 02:11:31 PM by chemlud
Services -> Intrusion Detection -> Administration -> Alerts

...and then click on the pen to the very right side of the table, column "Info"...

Please report back ;-)


PS: wife in home office produces a lot of

Code Select
ET TROJAN Infostealer.Banprox Proxy.pac Download

:-D
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
September 10, 2020, 10:45:14 PM #7
Thanks, I'm aware of the info popup, but it doesn't tell me anything about the source of the ".to" request other than the IP address of the laptop, which is already in the list view of the report.

I'd like to know which app, site, or service is making that request.


Print
Go Up Pages1
User actions