Threat activity - BlueCat DNS Edge

DNS Edge User Guide

prodname
BlueCat DNS Edge

The Threat Activity tab on the DNS activity screen displays DNS queries flagged as possible DGA or tunneling threats, based on certain indicators. Available information includes the date and time of the query, the source and site, the query name and type, threat type and indicator, and policy action (block, allow, monitor, or redirect) that was taken. You can filter the list by time, sites, site groups, threat types and indicators, and other criteria.

About threat indicators
  • DGA: DGA (domain generation algorithm) is a technique used by malware to generate large numbers of domain names which can be used as rendezvous points with their (botnet) command and control servers.

    Queries that match the entropy indicator (analysis of the registered domain name indicates the characteristics of a DGA domain) are flagged as a potential DGA threat.

  • Tunneling: DNS tunneling is the ability to encode the data of other programs or protocols in DNS queries and responses.
    Queries that match any of the following indicators will be flagged as a potential tunneling threat:
    • uniqueChar: There are more than 27 unique characters in the host name.
    • uncommonRec: The record type isn't A, AAAA, PTR, CNAME, TXT, SOA, or SRV.
    • hostSize: The host name is more than 70 characters.
    • volTunnel: Volumetric analysis of queries indicating DNS tunneling.

    DNS Edge evaluates queries over a one-hour window. When a domain incurs more than 75 distinct queries that meet the tunneling criteria from a single client, DNS Edge adds it to a system-maintained domain list. The TTL (time to live) value indicates how long a domain will remain on the list after it's last observed. For each domain on the list, its last-observed date and time is indicated, including its expiry date and time, based on the TTL.

  • Suspected threat indicators: DNS Edge flags the following types of queries as suspected threats:
    • Suspect TLD: Queries that match a DNS Edge-maintained list of top-level domains known to be subject to abuse.
    • Suspect DNS: Queries that match domains which are known to be suspect.

    To find suspect queries in the DNS Activity list, filter by /threatind susdns or /threatind sustld. On the Threat Activity tab, suspect queries are logged with the threat type None.

    You can't base a policy on a threat indicator, but if you want to monitor or block suspect TLD or suspect DNS queries, create a domain list that matches the flagged queries, and add that to a policy.

Viewing threat activity

  1. In the DNS Edge window, click .
  2. Select the Threat Activity tab.
  3. Use filter commands to search for DNS queries by the following criteria:
    • date & time
    • latency
    • site
    • source IP
    • query type
    • query name
    • response code
    • response IP
    • policy name
    • policy action
    • threat type
    • threat indicator

    Criteria can be combined, and DNS Edge will only return queries when all of the specified conditions are met.

    Examples

    /threattype dga /threatind uniquechar

    When you enter the filter command, the results display and the text in the command bar turns green. Results remain filtered until you begin typing another command.

  4. Click to add another tab. In the Add Tab window, select the available columns on the left, then click Add Tab. You must enter a name for the tab in the Title field. You can add multiple columns to the tab, and click and drag a selected column on the right to re-order the columns. To delete the tab, click the delete button beside the tab name.
    Note: The Date & Time column is selected by default.
  5. Click to select the columns you want displayed in the tab. In the Update Tab window, select the available columns on the left, then click Update Tab. You can click and drag a selected column on the right to re-order the columns. To restore the default columns and order, click Restore Defaults.

  6. Click a row in the Threat Activity table to view more details about a query.
    Tip: When the threat indicator is Vol Tunnel, you can click the VolTunnel link to view the system-maintained tunneling domain list.
    dns query info

    In the DNS query information panel, you can click links to view sites, namespaces, policies, and (for Vol Tunnel threat indicators) system lists associated with the query. When you click a link, a new tab opens in the panel, allowing you to return to the query information easily.

    Click next to different fields to filter the DNS activity results based on the value of that field.

    Click Inspect Client Activity to retrieve additional query information from the source IP of the current query. For more information, refer to Client activity.

  7. To return to the map view, click .
  8. To view the system-maintained tunneling domain list, click and select System Defined Lists.
    Tip: You can download the system-maintain domain lists.
Filter command tips
  • Enter times in 24-hour format (HH:MM:SS). All digits are required.
  • Enter dates in MM-DD-YYYY format (03-15-2017). All digits are required.
  • Filters become active when you press Enter and remain active until you change the text in the command bar. Active filters are indicated by green text in the command bar.
  • You can use one or more filters at a time on the command line. For example, you can combine filters for date/time, policy action, and site name.