High Reverse DNS queries

Posted by olivia_0721@reddit | sysadmin | View on Reddit | 4 comments

Hi,

We’ve identified a single Windows device generating a high volume of reverse DNS (PTR) queries. This activity was flagged by sentinel? but there is no indication of connections to external IPs

Also to clarify, this does not appear to be related to any previously known activity (e.g., Malaysia-based alerts). At this stage, it looks more like excessive DNS querying rather than confirmed outbound communication.

The key challenge right now is pinpointing the exact process responsible on that device. Standard checks (Task Manager, Resource Monitor, basic logs) haven’t clearly identified the source.

Has anyone dealt with similar behavior?

What’s the most effective way to trace DNS queries back to the originating process on Windows.

Thanks.

[-]

msears101@reddit

I would treat it as a security incident. The first thing I would isolate it. Next I would get a list of queries it I making. I would look for a pattern (random, all off net, all on net, etc). The pattern could be a clue as to what is happening. Then I would find the offending process. Nothing should be doing lots of reverse lookup. It is possible that is a benign task that is behavign unexpectedly.

mixduptransistor@reddit

Yeah, checking the queries and also the results is important. DNS can be a method of infiltrating or exfiltrating data that would other be blocked by a firewall

They might be sending data out in the form of data-as-hostname in the query, or, the responses to the queries may contain commands from a malware command and control operator

SwizzleTizzle@reddit

WevtUtil.exe set-log Microsoft-Windows-DNS-Client/Operational /e:true /ms:102432768

Run this on the affected machine to enable DNS client logs, then review them to find the offending process ID, from there trace back to which process it is.

poizone68@reddit

In addition to checking which queries it is running you might want to check what software is installed on that device. For example, if someone was testing out a monitoring suite and added lots of devices to it this could generate excessive DNS. Another example is someone running a license metric scanner or a SIEM that is not configured correctly.