EDR Server: Open DNS and Response show differing domain names when connecting to the same IP
search cancel

EDR Server: Open DNS and Response show differing domain names when connecting to the same IP

book

Article ID: 285949

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Open DNS shows hits to a malicious domain via specific IP, but Response does not show the same domain name for the same event.

Environment

  • EDR Server: 6.X and higher
  • Open DNS: All Versions

Cause

The malicious domain is using Passive DNS Replication, routing connections to different domains to avoid detection of the parent domain.

Resolution

  • Follow security best practices to avoid connections to malicious domains.
  • Compare IP addresses and timestamps between Open DNS and Response to help identify the malicious behavior.

Additional Information

  • Passive DNS replication is a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses. Because of this, a connection to an IP address may show a domain name of "malicious.example". A different application or host using the same IP may see a different domain name such as "malicious.different.example". 
  • An example of DNS replication seen within VirusTotal: https://www.virustotal.com/#/ip-address/84.38.134.225
Powered by Wolken Software