topic Re: MALWARE-CNC DNS suspicious .bit dns query in Network Security

MALWARE-CNC DNS suspicious .bit dns query

Scott.Ezell — Wed, 21 Aug 2024 13:55:57 GMT

I got alerts from my Firepower this morning for this. The source IP is my DNS server, and the destination was my DNS provider. I can't find anything in the alert that I can use to locate the system that actually issued the request to my DNS server. I'm guessing it was a website/domain being requested that triggered it, but how do I find out what that was. If I had that, I could then check my logs for which system requested it.

Re: MALWARE-CNC DNS suspicious .bit dns query

Marvin Rhoads — Wed, 21 Aug 2024 15:25:33 GMT

You wouldn't see it based on the DNS query itself since that traffic was only between the internal and public DNS resolver from the firewall's perspective.

However, you might be able to find the subsequent connection that would normally follow the end host having received an IP to match the FQDN. Search for that destination IP in your connection events (assuming you haven't rolled over the database records and you are logging all connections).

Re: MALWARE-CNC DNS suspicious .bit dns query

MHM Cisco World — Wed, 21 Aug 2024 15:32:04 GMT

Try

Show dns

Show run dns

Show fqdn

I am not so sure you will get url request but try, then add this url to specific ACP and detect how try connect this url

MHM