Re: Domain not found : DNS Block : Responder 8.8.8.8

InTheJuniverse · ‎01-04-2019

I have set a report for "Security Intelligence Event - DNS Phishing Domain" category, IOC is "Set". So, I have attached alerts and email.

Email:

=====================================================================

<*- Host IOC Set From "XYZ FP Host" at Fri Jan 4 12:20:55 2019 UTC -*> IP Address: x.x.x.x Category: Phishing Target; Event Type: Security Intelligence Event - DNS Phishing Domain: Global \ "DomainName"

======================================================================

Looking at the email and the event (attachement) what does it mean? I understand that a system is infected with a malware and is trying to send some information (not really sensitive information but anything). Firepower detected DNS URL Phishing and, rightly so, sent a Domain Not Found and blocked it.

1) Am I correct? Does this PC need a Antivirus Scan (we are not on AMP for End Points) and need to get rid of this Malware?

2) Why is the responder IP 8.8.8.8? Is it because we are using DNS server as 8.8.8.8?

Thank you.

Nikolaj Pabst · ‎01-08-2019

Hi @InTheJuniverse,

This event is simply a client calling a DNS name from 8.8.8.8 (google DNS) that has a "bad reputation".

You can trigger this event byg doing a nslookup at 8.8.8.8 on examplemalwaredomain.com.

/Nikolaj

InTheJuniverse · ‎01-09-2019

Thank you. Could you please elaborate?

Is it possible to find which domain name it calls? If it's malicious, could it indicate that the client is infected with a malware? I see a many of these for our DNS servers.

Thank you.