IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
DNS Activity to the Internet
editDNS Activity to the Internet
editDetects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.
Rule type: query
Rule indices:
- filebeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
References:
Tags:
- Elastic
- Network
Version: 3 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Potential false positives
editExclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.
Rule query
editdestination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Commonly Used Port
- ID: T1043
- Reference URL: https://attack.mitre.org/techniques/T1043/
Rule version history
edit- Version 3 (7.7.0 release)
-
Updated query, changed from:
destination.port:53 and ( network.direction: outbound or ( source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\:\:fb or 255.255.255.255 ) ) )
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.