Query Details
Dns Events Possible DNS Recon Query
Query
// https://salsa.debian.org/pkg-security-team/dnsrecon/-/blob/debian/master/dnsrecon/cli.py#L196
// dnsrecon command might check a NXDOMAIN hijack and uses a specific domain name in this test
DnsEvents
| where Name matches regex @"^[a-zA-Z0-9]{20}\.com$" and Name matches regex "[A-Z]" and QueryType in ("A", "AAAA")
| project
TimeGenerated,
Computer,
EventId,
SubType,
ClientIP,
Name,
QueryType,
ResultCode
Explanation
This KQL (Kusto Query Language) query is designed to analyze DNS events to identify potential NXDOMAIN hijacking attempts. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at a dataset called
DnsEvents, which contains information about DNS queries. -
Filtering Criteria:
- The query filters for DNS names (
Name) that match a specific pattern:- The name must be exactly 20 alphanumeric characters followed by ".com".
- The name must include at least one uppercase letter.
- It also filters for DNS queries of type "A" (IPv4 address) or "AAAA" (IPv6 address).
- The query filters for DNS names (
-
Projection:
- After filtering, the query selects (or projects) specific columns from the data:
TimeGenerated: The time the event was generated.Computer: The computer where the event was logged.EventId: The ID of the event.SubType: The subtype of the event.ClientIP: The IP address of the client making the DNS query.Name: The DNS name that was queried.QueryType: The type of DNS query (either "A" or "AAAA").ResultCode: The result code of the DNS query.
- After filtering, the query selects (or projects) specific columns from the data:
In summary, this query is used to identify and examine specific DNS queries that might indicate NXDOMAIN hijacking, focusing on queries for domain names that fit a particular pattern and are of specific query types.
Details
Jose Sebastián Canós
Released: November 14, 2024
Tables
DnsEvents
Keywords
DnsEvents
Operators
|wherematches regexandinproject