Query Details
Weird DNS Queries
Query
DnsEvents
| where Name matches regex @"^[a-zA-Z0-9]{20}\.com$" and Name matches regex "[A-Z]" and QueryType in ("A", "AAAA")
// unexpectedly this activity is matching PTR o reverse lookup queries from a pentester
Explanation
This KQL (Kusto Query Language) query is filtering DNS events based on specific criteria. Here's a simple summary:
-
Data Source: The query is looking at a dataset called
DnsEvents, which contains DNS-related information. -
Filter Criteria:
- Domain Name Pattern: It filters for domain names that:
- Are exactly 20 characters long, consisting only of letters (both uppercase and lowercase) and numbers, followed by ".com".
- Contain at least one uppercase letter.
- Query Type: It further filters these events to include only those with a query type of "A" or "AAAA", which are types of DNS queries used to resolve domain names to IP addresses (IPv4 and IPv6, respectively).
- Domain Name Pattern: It filters for domain names that:
-
Comment: The comment in the query notes an unexpected behavior: the activity is also matching PTR (Pointer) or reverse lookup queries, which are typically used to resolve IP addresses back to domain names. This suggests that the query might be capturing more data than intended, possibly due to a misconfiguration or misunderstanding of the data.
In essence, the query is designed to find specific DNS queries for ".com" domains with certain characteristics, but it's also capturing some unintended reverse lookup queries.
Details
Jose Sebastián Canós
Released: November 13, 2024
Tables
Keywords
Operators