Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for InfoBlox DNS

InfoBlox DNS
InfoBlox DNS icon

Out-of-the-Box Security For InfoBlox DNS Includes:

Alerts - 7

Stay on top of InfoBlox DNS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Infoblox DNS - A New Domain Queried

This alert detects whenever a domain is queried for the first time in the last 1 week. Please note that this alert will be active (after being deployed) after the configured alert time window which in this case is 1 week. This is in order for the algorithm to train on the new values for the key tracked, capture the baseline as well as prevent false notifications. Impact A newly queried domain that has never been queried before could be an indication of malicious activity. The reasoning here is to understand if there is any business requirement for that domain or not. Mitigation Investigate if there is a business requirement to connect to this domain. If not, inspect the connections from and to that domain. Additionally, administrators can add that domain to the list of blacklisted domains if there is no business requirement for it. Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

Infoblox DNS - High Number of NXDOMAIN Responses Returned

This alert detects when a high number of NXDOMAIN response code is returned as a result of DNS queries made. NXDOMAIN response code indicates that the queried domain is non-existent. Impact A high number of NXDOMAIN responses by DNS servers is can be an indication of a DGA (Domain Generation Algorithms) activity. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of NXDOMAIN responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

Infoblox DNS - Anomalous number of Uncommon DNS Record Types Observed

This alert detects when a high number of DNS queries are seen from a host with uncommon record types such as TXT, PTR, and NULL. TXT: Indicates a Text record. These records are often used for email security. PTR: Provides a domain name in reverse-lookups. NULL: Indicates a null resource record. Impact Threat actors may utilize less common record types for their C2 channels to support different commands or functions. For example, a C2 channel may utilize TXT requests to retrieve additional information, malware, or commands to execute. Mitigation Investigate the hosts querying the domains with a high number of these uncommon record types. Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

Infoblox DNS - DNS Activity on TCP Detected

This alert detects when a DNS query is transmitted over TCP protocol rather than UDP protocol. Impact DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of malicious activity. Mitigation Investigate the source hosts involved in those queries by using audit logs from these machines as this activity could be an indication of data exfiltration. Please see the below link for more detail: https://www.akamai.com/blog/news/introduction-to-dns-data-exfiltration Mitre Tactic: TA0010 Mitre Technique: T1048

Infoblox DNS - Excessive REFUSED Response Code Returned

This alert detects when a high number of REFUSED response code is returned as a result of DNS queries made. REFUSED response code indicates that the DNS query failed because the server refused to answer the query. This could be due to policy reasons. Impact A high number of REFUSED responses by DNS servers could be due to policy reasons. For example, a particular device may be blocked if it is abusing the nameserver, or a particular operation, such as a zone transfer, might be forbidden. A zone transfer is a way of replicating DNS configuration information across multiple DNS servers for load balancing or backup. Usually, only an authorized person can complete a zone transfer. If a user tries to initiate one but they're not authorized, then this would be the response code they would get. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of REFUSED responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

Infoblox DNS - Excessive SERVFAIL Response Code Returned

This alert detects when a high number of SERVFAIL response code is returned as a result of DNS queries made. SERVFAIL response code is an indication of Server failure. This could be due to that there is a technical problem with the DNS servers. Impact A high number of SERVFAIL responses by DNS servers could indicate that security control on your network, such as a firewall or intrusion prevention system, is blocking a user from going to that domain. Much like NXDOMAIN, excessive SERVFAIL responses should be investigated for malicious activities. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of SERVFAIL responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ https://blog.cloudflare.com/unwrap-the-servfail/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

Infoblox DNS - No logs from Infoblox DNS

This rule detects if there are no logs in the last 36 hours for Infoblox DNS in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Documentation

Learn more about Coralogix's out-of-the-box integration with InfoBlox DNS in our documentation.

Read More
Schedule Demo