INFO: Sinkhole DNS Events Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: INFO

This report lists DNS queries seen from recursive DNS servers for sinkholed domains. Please note that the IP listed are not the same as the actual source IP of the client that is making the query and hence are likely not infected hosts. This report therefore is to be used primarily to support investigations into a threat, and not as a source of direct identification of infected  hosts.

Severity levels are described here.

Filename: event4_sinkhole_dns

Fields

  • timestamp
    Timestamp in UTC+0 of the DNS query
  • protocol
    Protocol of the connection traffic (UDP/TCP)
  • src_ip
    IP of the recursive resolver making the query
  • src_port
    Source port of the query
  • src_asn
    ASN of the recursive resolver
  • src_geo
    Country location of the recursive resolver
  • src_region
    Region of the recursive resolver
  • src_city
    City of the recursive resolver
  • src_hostname
    Reverse DNS of the recursive resolver
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • severity
    Severity level
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Tagging information, such as information on which threat is associated with the sinkholed domain
  • query_type
    DNS query type (eg. NS, SOA, A)
  • query
    Sinkholed domain name being queried
  • count
    Number of queries seen

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","infection","family","tag","query_type","query","count"
"2010-02-10 00:00:00",udp,192.168.0.1,26556,64512,ZZ,Region,City,node01.example.com,0,,,,,info,beebone,beebone,,A,2-1-2-3-2.example.org,1
"2010-02-10 00:00:01",udp,192.168.0.2,23509,64512,ZZ,Region,City,node02.example.com,0,,,,,info,beebone,beebone,,A,2-1-2-3-2.example.org,1
"2010-02-10 00:00:02",udp,192.168.0.3,41989,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",,,,info,beebone,beebone,,A,2-1-2-3-2.example.org,1

Our 132 Report Types