Overview - My Internal DNS server is reporting botnet activity
Should you happen to see a large amount of unexpected traffic, or malware/botnet identified traffic logged against one of your networks or sites in the Umbrella Dashboard, there’s a good chance an internal host is infected. Because the DNS requests are likely to be going through an internal DNS server, the source IP of the request is being replaced with the IP of the DNS server which makes it difficult to track on a firewall.
If this is the case, there’s nothing you can do with the Umbrella dashboard to identify the source. All requests will be logged against the network identity.
So what should I do?
There’s a few things you could do, but without any other security products that might track this behaviour for you, the main one would be to use the logs on the DNS server to see where the requests are coming from, then nuke the source.
We'd normally recommend running our Virtual Appliance (VA) which, among other benefits, will give host-level visibility of all DNS traffic on the internal network making it super-quick to pinpoint this sort of issue.
However, we sometimes see issues where an internal host which is not pointing DNS to the VAs is infected, and sending DNS requests through a Windows DNS server instead. Because in this scenario there is obviously no way for the VA to see the DNS request (and therefore its source IP address), all DNS queries that go through that DNS server will be logged against the Network or site.
Sounds easy - What's the catch?
The catch is that on Pre Server 2016 operating systems, this information is not logged by default. You need to enable it manually to then be able to capture the data. Notably, for 2012r2 you can install the hotfix below to get this level of logging made available to you.
For other OS's, and for further information on setting up Debug logging on the DNS server, in the spirit of not reinventing the wheel, the Microsoft KBA below runs through the options and the usage.
What Are My Other Options?
You can run a Wireshark capture with a filter left running looking for DNS and the destination we're logging in the dashboard. Then you should have enough visibility to find the source of the request.
For example, this capture run on a DNS server shows the client (192.168.168.129) making the request to the DNS server (192.168.168.228), then the DNS server making the query to the Umbrella Anycast servers (126.96.36.199), getting a response and serving this back to the client.
A filter suggestion would be something like the ones below:
dns.qry.name contains examplebotnetdomain
dns.qry.name eq "examplebotnetdomain.com"