MALWARE-CNC DNS suspicious .bit dns query

Scott.Ezell · ‎08-21-2024

I got alerts from my Firepower this morning for this. The source IP is my DNS server, and the destination was my DNS provider. I can't find anything in the alert that I can use to locate the system that actually issued the request to my DNS server. I'm guessing it was a website/domain being requested that triggered it, but how do I find out what that was. If I had that, I could then check my logs for which system requested it.

Marvin Rhoads · ‎08-21-2024

You wouldn't see it based on the DNS query itself since that traffic was only between the internal and public DNS resolver from the firewall's perspective.

However, you might be able to find the subsequent connection that would normally follow the end host having received an IP to match the FQDN. Search for that destination IP in your connection events (assuming you haven't rolled over the database records and you are logging all connections).

MHM Cisco World · ‎08-21-2024

Try

Show dns

Show run dns

Show fqdn

I am not so sure you will get url request but try, then add this url to specific ACP and detect how try connect this url

MHM