1

A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query: 

2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE suspicious .null dns query" group="241" srcip="192.168.0.1" dstip="192.168.0.254" proto="17" srcport="49445" dstport="53" sid="48666" class="Misc activity" priority="3" generator="1" msgid="0"

We enabled DNS logging on the domain controller and get this data. (Names are obfuscated)

From the DNS log of the domain controller

Devices in the log

  • 192.168.0.1 = domain controller (DomainServer.dom.local)
  • 192.168.0.16 = QNAP NAS
  • 192.168.0.254 = Sophos UTM
15.01.2019 11:53:39 2728 PACKET  000000E796562170 UDP Rcv 192.168.0.16    4c9e   Q [0001   D   NOERROR] AAAA   (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E796562170
  Socket = 556
  Remote addr 192.168.0.16, port 56856
  Time Query=533586, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0031 (49)
  Message:
    XID       0x4c9e
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

15.01.2019 11:53:39 2728 PACKET  000000E7932A4220 UDP Snd 192.168.0.254   4eb1   Q [0001   D   NOERROR] AAAA   (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E7932A4220
  Socket = 11688
  Remote addr 192.168.0.254, port 53
  Time Query=0, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003c (60)
  Message:
    XID       0x4eb1
    Flags     0x0100
      QR        0 (QUESTION)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
      QTYPE   AAAA (28)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
    Offset = 0x0031, RR count = 0
    Name      "(0)"
      TYPE   OPT  (41)
      CLASS  4000
      TTL    32768
      DLEN   0
      DATA   
        Buffer Size  = 4000
        Rcode Ext    = 0
        Rcode Full   = 0
        Version      = 0
        Flags        = 80 DO

Questions:

  • Does anyone have an explanation why this is a potentially dangerous request?
  • Is it only due do the (3)dev(4)null(0)part in the request?

(We currently don't know why this requests are sent and I already asked on Superuser: DNS queries “DomainServer.dom.local.dev.null” by QNAP NAS)

marsh-wiggle
  • 2,075
  • 4
  • 26
  • 44
  • 1
    I cannot answer why this is reported as potential compromise and whether it is reasonable to do so. What I can however say is that there is no legitimate reason to do such lookups. I do not see `null` among the currently allocated TLDs and neither among the reserved domain names. As such it is available for future allocation and should it be allocated in the future the responses you receive can change in any way. – kasperd Jan 20 '19 at 17:45
  • I'm curious about `(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)`. (The numbers seem to reflect the length of the subsequent string.) Is that the raw text of the query being sent by the QNAP, or is the query text being modified by the UTM? What's interesting is the `(0)` at the end; might indicate a null-terminated string being sent to the DNS. Can you capture the actual query packet and see? – SmallClanger Jan 22 '19 at 20:40
  • @SmallClanger The most DNS queries the QNAP sends are regular, like: `(12)NameOfServer(3)dom(5)local(0)`. And the notation is usual. – marsh-wiggle Jan 23 '19 at 09:23

1 Answers1

1

Intrusion Detection and Intrusion Prevention is often some kind of behavioral analysis - Sophos does not see real malicious activity like a known malware or something like this, but it sees something that likely may be connected to malicious activities.

In your case Sophos is seeing a DNS query for .null and may assume that this TLD is likely connected to spammers or other malicious attackers. Same thing happens with .top or .ml - we often get warning messages with these TLDs. The sites that are visited are real and non-malicious, but as far as i read they are often used connected to malware, spam, c&c servers and so on.

About the notation (12)NameOfServer(3)dom(5)local(3)dev(4)null(0) - this is only the notation that Windows DNS server logs querys. For more information about this, read this ServerFault answer.

EDIT: As requested, here is an example of our Sophos log, a most recent entry from today (funfact - the client was mine, and the TLD was .glue...):

2019:01:23-12:59:29 gate-1 snort[15859]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE suspicious .glue dns query" group="241" srcip="[client-ip-address]" dstip="[dns-server-address]" proto="17" srcport="53831" dstport="53" sid="48713" class="Misc activity" priority="3" generator="1" msgid="0"

I cannot provide the Windows DNS log entry - I was investigating these messages a few weeks ago and had the log enabled for a day, but normaly we have it disabled.

Also I was again thinking about why you get this message - I would bet that somewhere on the NAS there is a network config (maybe the NAS itself or an installed app) where someone (since it is .dev.null I would bet a Linux admin...) did not want to enter real data, so he entered some bogus DNS hostnames.

Tobias
  • 1,236
  • 13
  • 25