A customer Sophos-UTM reports Intrusion protection alert warnings INDICATOR-COMPROMISE suspicious .null dns query:
2019:01:15-11:54:13 utm-ba snort[31619]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE suspicious .null dns query" group="241" srcip="192.168.0.1" dstip="192.168.0.254" proto="17" srcport="49445" dstport="53" sid="48666" class="Misc activity" priority="3" generator="1" msgid="0"
We enabled DNS logging on the domain controller and get this data. (Names are obfuscated)
From the DNS log of the domain controller
Devices in the log
- 192.168.0.1 = domain controller (DomainServer.dom.local)
- 192.168.0.16 = QNAP NAS
- 192.168.0.254 = Sophos UTM
15.01.2019 11:53:39 2728 PACKET 000000E796562170 UDP Rcv 192.168.0.16 4c9e Q [0001 D NOERROR] AAAA (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E796562170
Socket = 556
Remote addr 192.168.0.16, port 56856
Time Query=533586, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0031 (49)
Message:
XID 0x4c9e
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
15.01.2019 11:53:39 2728 PACKET 000000E7932A4220 UDP Snd 192.168.0.254 4eb1 Q [0001 D NOERROR] AAAA (12)NameOfServer(3)dom(5)local(3)dev(4)null(0)
UDP question info at 000000E7932A4220
Socket = 11688
Remote addr 192.168.0.254, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x003c (60)
Message:
XID 0x4eb1
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 1
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(12)NameOfServer(3)dom(5)local(3)dev(4)null(0)"
QTYPE AAAA (28)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
Offset = 0x0031, RR count = 0
Name "(0)"
TYPE OPT (41)
CLASS 4000
TTL 32768
DLEN 0
DATA
Buffer Size = 4000
Rcode Ext = 0
Rcode Full = 0
Version = 0
Flags = 80 DO
Questions:
- Does anyone have an explanation why this is a potentially dangerous request?
- Is it only due do the
(3)dev(4)null(0)part in the request?
(We currently don't know why this requests are sent and I already asked on Superuser: DNS queries “DomainServer.dom.local.dev.null” by QNAP NAS)
Intrusion Detection and Intrusion Prevention is often some kind of behavioral analysis - Sophos does not see real malicious activity like a known malware or something like this, but it sees something that likely may be connected to malicious activities.
In your case Sophos is seeing a DNS query for .null and may assume that this TLD is likely connected to spammers or other malicious attackers. Same thing happens with .top or .ml - we often get warning messages with these TLDs. The sites that are visited are real and non-malicious, but as far as i read they are often used connected to malware, spam, c&c servers and so on.
About the notation (12)NameOfServer(3)dom(5)local(3)dev(4)null(0) - this is only the notation that Windows DNS server logs querys. For more information about this, read this ServerFault answer.
EDIT: As requested, here is an example of our Sophos log, a most recent entry from today (funfact - the client was mine, and the TLD was .glue...):
I cannot provide the Windows DNS log entry - I was investigating these messages a few weeks ago and had the log enabled for a day, but normaly we have it disabled.
Also I was again thinking about why you get this message - I would bet that somewhere on the NAS there is a network config (maybe the NAS itself or an installed app) where someone (since it is .dev.null I would bet a Linux admin...) did not want to enter real data, so he entered some bogus DNS hostnames.