Indicator of compromise? Abnormal DNS requests...

Started by s0nic, August 31, 2021, 09:57:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 31, 2021, 09:57:22 PM Last Edit: August 31, 2021, 10:27:59 PM by s0nic
I have enabled the DNS logging in unbound and I see requests that I would normaly assign to an IOC:

2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 noikwpgdnmdoz.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN

Notes

  • No client has requested these addresses.
  • 10.10.10.254 = OpnSense LAN Interface
  • kaki = local domain (intranet) eg. server01.kaki
  • Only OpenVPN is offered via the WAN interface. No other ports have been opened on the WAN interface so far.
  • Only the following packages differ from the default installation:
    - os-etpro-telemetry (installed)
    - os-sensei (installed)
    - os-sunnyvalley (installed)


I've some questions:

  • Why does OpnSense use its LAN address for internal / its own DNS queries?
    ---> I also see other requests from OpnSense with 127.0.0.1, so why is it using 10.10.10.254?
  • What damn package or function is trying to resolve these domains here?
  • If it is a client, he must have spoofed the firewall LAN IP... but then... why does he ask for the domains without TLD?
September 01, 2021, 12:04:31 AM #1
Print
Go Up Pages1
User actions