1

A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query: 

2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE suspicious .null dns query" group="241" srcip="192.168.0.1" dstip="192.168.0.254" proto="17" srcport="49445" dstport="53" sid="48666" class="Misc activity" priority="3" generator="1" msgid="0"

We enabled DNS logging on the domain controller and get this data. (Names are obfuscated)

From the DNS log of the domain controller

Devices in the log

  • 192.168.0.1 = domain controller (DomainServer.dom.local)
  • 192.168.0.16 = QNAP NAS
  • 192.168.0.254 = Sophos UTM
15.01.2019 11:53:39 2728 PACKET  000000E796562170 UDP Rcv 192.168.0.16    4c9e   Q [0001   D   NOERROR] AAAA   (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E796562170
  Socket = 556
  Remote addr 192.168.0.16, port 56856
  Time Query=533586, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0031 (49)
  Message:
    XID       0x4c9e
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

15.01.2019 11:53:39 2728 PACKET  000000E7932A4220 UDP Snd 192.168.0.254   4eb1   Q [0001   D   NOERROR] AAAA   (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E7932A4220
  Socket = 11688
  Remote addr 192.168.0.254, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003c (60)
  Message:
    XID       0x4eb1
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0031, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
        Buffer Size  = 4000
        Rcode Ext    = 0
        Rcode Full   = 0
        Version      = 0
        Flags        = 80 DO

Questions:

  • Does anyone have an explanation why this is a potentially dangerous request?
  • Is it only due do the (3)dev(4)null(0)part in the request?

(We currently don't know why this requests are sent and I already asked on Superuser: DNS queries “DomainServer.dom.local.dev.null” by QNAP NAS)

marsh-wiggle
  • 2,265

1 Answers1

1

Intrusion Detection and Intrusion Prevention is often some kind of behavioral analysis - Sophos does not see real malicious activity like a known malware or something like this, but it sees something that likely may be connected to malicious activities.

In your case Sophos is seeing a DNS query for .null and may assume that this TLD is likely connected to spammers or other malicious attackers. Same thing happens with .top or .ml - we often get warning messages with these TLDs. The sites that are visited are real and non-malicious, but as far as i read they are often used connected to malware, spam, c&c servers and so on.

About the notation (12)NameOfServer(3)dom(5)local(3)dev(4)null(0) - this is only the notation that Windows DNS server logs querys. For more information about this, read this ServerFault answer.

EDIT: As requested, here is an example of our Sophos log, a most recent entry from today (funfact - the client was mine, and the TLD was .glue...):

2019:01:23-12:59:29 gate-1 snort[15859]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE suspicious .glue dns query" group="241" srcip="[client-ip-address]" dstip="[dns-server-address]" proto="17" srcport="53831" dstport="53" sid="48713" class="Misc activity" priority="3" generator="1" msgid="0"

I cannot provide the Windows DNS log entry - I was investigating these messages a few weeks ago and had the log enabled for a day, but normaly we have it disabled.

Also I was again thinking about why you get this message - I would bet that somewhere on the NAS there is a network config (maybe the NAS itself or an installed app) where someone (since it is .dev.null I would bet a Linux admin...) did not want to enter real data, so he entered some bogus DNS hostnames.

Tobias
  • 1,254
  • 2
  • 15
  • 26