• Support
  • Forums
  • Blogs

DNS Blackhole - Identifying problem hosts

benny32benny32

Entry Level
+1
I have gotten a few blackhole or command and control alerts but predictably they show the infected host as my internal dns server since that is the device making the request to external sites for internal hosts.  How do I figure out which internal host is the one actually making the request to the internal dns server? 

Share post:

Best Answer

  • Can you correlate some traffic log from your clients subnets that have the bad domain as destination ? Maybe via webfilter logs ?

Answers

  • Anyone have thoughts on this?  I'm really not sure how I can figure out which hosts are making the dns request when it always appears to be coming from my dns server.
  • Open that alarm at the very bottom you'll see events if open the first event occurred you'll see a piece of raw log at the bottom... I hope that must help you.
  • I also have this kind of alerts, for the moment I must manually check, thought my firewalls trafic logs, which one of my client is actually talking to the resolved bad address.  The bad adresse appears in the raw log entry as jensonjjs says.
  • That's the thing, my firewall is not my router.  Our switch stack is our router and all client dns requests go to our dns servers which forward them all to the firewall so from the firewall standpoint, everything comes from one of two dns servers.  Maybe I'm missing something but when I drill down into the alarms for these they always have either one of my dns servers and never any actual client information.  
  • In the raw log, can you see the actual bad domain that your client is asking your dns server to resolve ?
  • Yes, I see that in the raw logs.
  • That's a possibility.  I'll see if I can do that.  That might work for some of these and if I get jammed up again I'll reply back!
  • You probably also can put a sensor between your client and your dns servers that listen to dns traffic or create a plugin that read dns logs from your dns servers
  • If your dns servers log requests, it's pretty easy to track them down.

Sign In or Register to comment.