Jump to content

DNS Queries to malicious (C&C) sites


UncleStu
Go to solution Solved by UncleStu,

Recommended Posts

Posted

It would appear that two of my dockers are continually trying to query a domain that has been categorized as a C&C site. I would like to stop these queries, or sink hole them, but I'm not sure of the best way. The docker container is querying my internal DNS server, which is then querying my forwarding DNS servers and being flagged/prevented at my firewall.

 

The domains are unifi.domain.tld and ombiombi.domain.tld. I don't want to put an exception in my firewall, I just want to blackhole or stop the requests. Or understand why they are there in the first place. Can anyone offer advise or suggestions?

 

Also what is odd, I am not running Ombi, but Overseer. I'm assuming that the ombiombi query is from Overseer. I'm also assuming the unifi query is from my Unifi container.

2024-09-12_110823.png

Posted

I know this is not the best solution, but I ended up creating a new "domain.tld" zone on my DNS server with no records in the zone. It has stopped the firewall from complaining, but I know it hasn't stopped the requests. Still looking for any suggestions or recommendations on why the container is reaching out to this domain.

Posted

those are not valid domains name. Are you sure those connections attempts are from docker containers?

It looks like a default setting in conf file of an app. Here i suppose unifi and ombi. 

what are the results of nslookup unifi.domain.tld or nslookup ombiombi.domain.tld

I would start to look at host files.

Posted
2 hours ago, caplam said:

It looks like a default setting in conf file of an app.

Where could I look for these? I looked through the Unifi and Overseer webUI's and didn't see anything. I looked through the settings for Docker as well, thinking that maybe it was something nested into unraid itself. Nothing. 

 

You're correct that the domain doesn't exist. I didn't look to see if it did or not. Could possibly be a false positive from my firewall. Still interested in stopping/changing the queries if I could find out where they are coming from.

 

2 hours ago, JonathanM said:

Where did you see that?

The log details screenshot from the first post shows this. But the data could be wrong if it is a FP alert.

Posted

I can't tell who is making the request to my internal DNS server. I can only see the request from my DNS server to an external DNS Forwarder. Without a packet capture in front of my DNS server, I don't think I'll know.

 

As for an improper hosts file. I don't have any hosts file configs for my containers, or none that I have set myself. And my unraid doesn't have any hosts with this domain. My only thoughts are that it is within the container image itself. Is there a command I can run within the container to see the hosts? Or domain name being used?

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...