Environment
- EDR Server: 6.X and higher
- Open DNS: All Versions
Symptoms
Open DNS shows hits to a malicious domain via specific IP, but Response does not show the same domain name for the same event.
Cause
The malicious domain is using Passive DNS Replication, routing connections to different domains to avoid detection of the parent domain.
Resolution
- Follow security best practices to avoid connections to malicious domains.
- Compare IP addresses and timestamps between Open DNS and Response to help identify the malicious behavior.
Additional Notes
- Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. Because of this, a connection to an IP address may show a domain name of "malicious.example". A different application or host using the same IP may see a different domain name such as "malicious.different.example".
- An example of DNS replication seen within VirusTotal: VirusTotal