Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Indicator of compromise? Abnormal DNS requests...
« previous
next »
Print
Pages: [
1
]
Author
Topic: Indicator of compromise? Abnormal DNS requests... (Read 1430 times)
s0nic
Newbie
Posts: 2
Karma: 0
Indicator of compromise? Abnormal DNS requests...
«
on:
August 31, 2021, 09:57:22 pm »
I have enabled the DNS logging in unbound and I see requests that I would normaly assign to an IOC:
2021-08-31T21:32:59 unbound[33632] [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:3] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:1] info: 10.10.10.254 noikwpgdnmdoz.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59 unbound[33632] [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
Notes
No client has requested these addresses.
10.10.10.254 = OpnSense LAN Interface
kaki = local domain (intranet) eg. server01.kaki
Only OpenVPN is offered via the WAN interface. No other ports have been opened on the WAN interface so far.
Only the following packages differ from the default installation:
- os-etpro-telemetry (installed)
- os-sensei (installed)
- os-sunnyvalley (installed)
I've some questions:
Why does OpnSense use its LAN address for internal / its own DNS queries?
---> I also see other requests from OpnSense with 127.0.0.1, so why is it using 10.10.10.254?
What damn package or function is trying to resolve these domains here?
If it is a client, he must have spoofed the firewall LAN IP... but then... why does he ask for the domains without TLD?
«
Last Edit: August 31, 2021, 10:27:59 pm by s0nic
»
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: Indicator of compromise? Abnormal DNS requests...
«
Reply #1 on:
September 01, 2021, 12:04:31 am »
Chromium-based browsers running DNS tests:
https://www.zdnet.com/article/chromium-dns-hijacking-detection-accused-of-being-around-half-of-all-root-queries/
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Indicator of compromise? Abnormal DNS requests...