Alexandre Takacs
asked on
strange .onion DNS requests from LAN
Hello
We are doing some DNS based filtering on our networks and lately, we see a significant amount of lookups for an onion site (hpaur4rufcjohrag.onion).
None of our users are running TOR and obviously our resolver will return an NXDOMAIN error for those but I still worry this is some sort of malware. Tried to google it but not seeing any obvious answer.
Opnions ?
We are doing some DNS based filtering on our networks and lately, we see a significant amount of lookups for an onion site (hpaur4rufcjohrag.onion).
None of our users are running TOR and obviously our resolver will return an NXDOMAIN error for those but I still worry this is some sort of malware. Tried to google it but not seeing any obvious answer.
Opnions ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dr. Klahn said it well, "something shady going on" describes this situation well.
So why didn't you start capturing the traffic to find out which IP addresses are requesting it? Or why didn't the filter logs already show it?
.onion DNS addresses are attempts to reach the TOR network, good you block them esp. if you have no normal use for it.
If you need to know where it goes you need a TOR enabled system and see where the address goes to.
(preferably a standalone form a separated network).
The systems requesting the names should be considered being damaged and investigated, and it could be wise to quarantine them.
You may also need to proxy DNS requests though a local DNS server. And block all other queries to prevent hardcoded DNS servers being used from the malware.
If you need to know where it goes you need a TOR enabled system and see where the address goes to.
(preferably a standalone form a separated network).
The systems requesting the names should be considered being damaged and investigated, and it could be wise to quarantine them.
You may also need to proxy DNS requests though a local DNS server. And block all other queries to prevent hardcoded DNS servers being used from the malware.
Check your DNS logs which may help you to identify the IP requested it. Or you may need to run a packet capture with filter for. onion
ASKER
there was indeed a malware on 3 workstations that we managed to identify