Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DNS Queries to malicious (C&C) sites

Featured Replies

It would appear that two of my dockers are continually trying to query a domain that has been categorized as a C&C site. I would like to stop these queries, or sink hole them, but I'm not sure of the best way. The docker container is querying my internal DNS server, which is then querying my forwarding DNS servers and being flagged/prevented at my firewall.

 

The domains are unifi.domain.tld and ombiombi.domain.tld. I don't want to put an exception in my firewall, I just want to blackhole or stop the requests. Or understand why they are there in the first place. Can anyone offer advise or suggestions?

 

Also what is odd, I am not running Ombi, but Overseer. I'm assuming that the ombiombi query is from Overseer. I'm also assuming the unifi query is from my Unifi container.

2024-09-12_110823.png

Solved by UncleStu

  • Author

I know this is not the best solution, but I ended up creating a new "domain.tld" zone on my DNS server with no records in the zone. It has stopped the firewall from complaining, but I know it hasn't stopped the requests. Still looking for any suggestions or recommendations on why the container is reaching out to this domain.

those are not valid domains name. Are you sure those connections attempts are from docker containers?

It looks like a default setting in conf file of an app. Here i suppose unifi and ombi. 

what are the results of nslookup unifi.domain.tld or nslookup ombiombi.domain.tld

I would start to look at host files.

On 9/12/2024 at 2:16 PM, UncleStu said:

a domain that has been categorized as a C&C site

Where did you see that?

  • Author
2 hours ago, caplam said:

It looks like a default setting in conf file of an app.

Where could I look for these? I looked through the Unifi and Overseer webUI's and didn't see anything. I looked through the settings for Docker as well, thinking that maybe it was something nested into unraid itself. Nothing. 

 

You're correct that the domain doesn't exist. I didn't look to see if it did or not. Could possibly be a false positive from my firewall. Still interested in stopping/changing the queries if I could find out where they are coming from.

 

2 hours ago, JonathanM said:

Where did you see that?

The log details screenshot from the first post shows this. But the data could be wrong if it is a FP alert.

see what device requests the domain ip. I'm no expert but perhaps you have a wrong entry in a host file (on your server or in a container)

  • Author

I can't tell who is making the request to my internal DNS server. I can only see the request from my DNS server to an external DNS Forwarder. Without a packet capture in front of my DNS server, I don't think I'll know.

 

As for an improper hosts file. I don't have any hosts file configs for my containers, or none that I have set myself. And my unraid doesn't have any hosts with this domain. My only thoughts are that it is within the container image itself. Is there a command I can run within the container to see the hosts? Or domain name being used?

  • 2 weeks later...
  • Author
  • Solution

I FOUND IT!!

 

My Varken.ini file had these FQDN's defined. I set the sections to false, and commented out the lines too.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.