<div dir="ltr">Another approach is to define a "fake" <a href="http://vitaminc.pro" target="_blank">vitaminc.pro</a> domain, point it at an internal webserver (assuming you have a spare, or can spin one up for the purpose), and see what clients are hitting it.<div><br></div><div>Of course, that assumes the communication is web-based. If it's some other protocol(s), you'd need to monitor that protocol, or those protocols, on the "decoy" server. One would need to know more about the behavior of the malware involved.</div><div><br></div><div>Speaking of which, Virustotal doesn't seem to think there's anything suspicious about <a href="http://vitaminc.pro">vitaminc.pro</a>. Haven't checked my other sources of Threat Intelligence, but usually there's *something* on VT if a domain is being used as a C&C...</div><div><br></div><div> - Kevin</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 18, 2019 at 9:24 AM Tony Finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">MEjaz <<a href="mailto:mejaz@cyberia.net.sa" target="_blank">mejaz@cyberia.net.sa</a>> wrote:<br>
><br>
> If I enabled the system performs will slow down?<br>
<br>
Depends on how much load your servers are under and what their capacity<br>
is.<br>
<br>
An alternative to query logs, when you are searching for a known query<br>
name, is to use tcpdump. It's a tedious and fiddly to convert the name to<br>
DNS wire format and then into a pcap filter expression, so I have a little<br>
script to do that (quoted below after my .sig). The command you want is<br>
like:<br>
<br>
tcpdump -np udp port 53 and '(' udp[20] == 8 and udp[21] == 118 and udp[22] == 105 and udp[23] == 116 and udp[24] == 97 and udp[25] == 109 and udp[26] == 105 and udp[27] == 110 and udp[28] == 99 and udp[29] == 3 and udp[30] == 112 and udp[31] == 114 and udp[32] == 111 ')'<br>
<br>
Tony.<br>
-- <br>
f.anthony.n.finch <<a href="mailto:dot@dotat.at" target="_blank">dot@dotat.at</a>> <a href="http://dotat.at/" rel="noreferrer" target="_blank">http://dotat.at/</a><br>
Southeast Iceland: Northerly 6 to gale 8, veering northeasterly 5 to 7. Rough<br>
or very rough. Rain or wintry showers. Good, occasionally poor.<br>
<br>
<br>
#!/usr/bin/perl<br>
<br>
use warnings;<br>
use strict;<br>
<br>
use Net::DNS::DomainName;<br>
<br>
die "usage: $0 <domain-name>\n"<br>
unless @ARGV == 1;<br>
<br>
my $text = shift;<br>
my $wire = new Net::DNS::DomainName($text)->canonical;<br>
<br>
my @wire = unpack 'C*', $wire;<br>
<br>
pop @wire unless $text =~ m{\.$};<br>
<br>
printf "'(' %s ')'\n",<br>
join ' and ',<br>
map { sprintf "udp[%d] == %d",<br>
20 + $_, $wire[$_] }<br>
0 .. $#wire;<br>
#!/usr/bin/perl<br>
<br>
use warnings;<br>
use strict;<br>
<br>
die "usage: <a href="http://tcpdump-qname.pl" rel="noreferrer" target="_blank">tcpdump-qname.pl</a> <dns-label>\n"<br>
unless @ARGV == 1;<br>
<br>
my $name = shift;<br>
<br>
my @name = unpack 'C*', $name;<br>
<br>
printf "%s\n", join ', ', @name;<br>
<br>
_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>