Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

EDR Server: 6.X and higher
Open DNS: All Versions

Symptoms

Open DNS shows hits to a malicious domain via specific IP, but Response does not show the same domain name for the same event.

Cause

The malicious domain is using Passive DNS Replication, routing connections to different domains to avoid detection of the parent domain.

Resolution

Follow security best practices to avoid connections to malicious domains.
Compare IP addresses and timestamps between Open DNS and Response to help identify the malicious behavior.

Additional Notes

Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. Because of this, a connection to an IP address may show a domain name of "malicious.example". A different application or host using the same IP may see a different domain name such as "malicious.different.example".
An example of DNS replication seen within VirusTotal: VirusTotal

Article Information

Author:

Creation Date:

‎06-04-2019

Views:

829

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.