I have been trying to find the source of this DNS query spam for over 2 weeks now. We have a sonic-wall SOHO edition gateway at 10.1.5.65. 10.1.20.65, and 10.1.1.250 (1 subnet per interface)
--The DNS server lives at 10.1.5.75
--The Spam comes from 10.1.5.65
--The Query is for vjiojveofijvwk.net & 2hpujkw6ypybyaz.net
-Any other requests made are all logged with the proper source and destination aside from the spam I am trying to diagnose.
(ex query[A] win10.ipv6.microsoft.com from 10.1.1.25)
(ex Me forcing the same query from the 10.1.20.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.20.68"
(ex Me forcing the same query from the 10.1.5.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.5.70"
(ex Me forcing the same query from the 10.1.1.x subnet "query[A] 2hpujkw6ypybyaz.net from 10.1.1.25"
-The DHCP servers are all configured to provide 10.1.5.75 as the DNS server and nothing else.
-When i tried to dig @10.1.5.75 google.com i get a reply, if i dig @(ANYGATEWAY) the reply fails.
-The sonic-wall does no forwarding and has no DNS server/daemon running.
I am going crazy i cannot figure this out. Even the packet captures I run all show the source as the gateway. Why in the world is any DNS traffic coming from the source IP of the sonic-wall gateway. We do not allow requests from the outside and there is no NAT between the subnets. At this point all i can think of is the sonicwall somehow got infected or something is spoofing its source IP to be the gateway.
I have tried googling Numerous things and i am honestly surprised i cannot find something along the lines of :
"Routers Gateway IP spamming DNS requests"
"Malicous DNS Request comming from gateway"
"Router running no DNS forwarding or daemon is making queries from its ip"
"Express VPN strange DNS queries"
https://www.reddit.com/r/pihole/comments/7yx9zt/strange_dns_queries/
There is a single comment here ^ that shows someone "Has seen express vpn make weird queries" but no other information.The internet search engines have failed me countless times on this I don't know where else to turn but posts at this point.
The DNS requests (after much digging) seem to be related to ExpressVPN but virustotal shows them to be malicious domains/ips/files that came from them.
The DNS spam is for the 2 domains below, and it happens literally every 1 second.
query[A] vjiojveofijvwk.net from 10.1.5.65 query[A] 2hpujkw6ypybyaz.net from 10.1.5.65
https://www.virustotal.com/#/domain/vjiojveofijvwk.net https://www.virustotal.com/#/domain/2hpujkw6ypybyaz.net https://www.virustotal.com/#/ip-address/107.6.159.114 <-- This one in particular "expressvpn_6.7.3.4009apk.apk" https://www.virustotal.com/#/ip-address/198.143.153.42 https://www.virustotal.com/#/url/006ec4fca4b25ac9729d73259bd18c973ad3b9d6441ff2f508a71829a240fd73/detection
I am not super worried at the moment as I am dns sinkhole-ing the requests. But it is generating a lot of unnecessary traffic.
If anyone can figure this out, or has heard of this, or knows how the router IP could possibly be the source IP&MAC of the request. I would really like to know before I go crazy and start ripping nodes off this network one by one until the traffic stops.
Edit: Apologies i am not used to Reddit formatting at all.
No comments:
Post a Comment