non-domain names showing up in stats

Comments

3 comments

  • Avatar
    bulgin

    Reminds me of the malware kill switch trigger reported a while back - a piece of malware searches for a non-existent (or it could have been existent) domain which, when the malware writer created it designed it such that if it did (or did not) return a valid domain, the malware was turned on (or off depending on the case.)

    How can we determine what piece of software is requesting these non-existent domains?

  • Avatar
    rotblitz

    The "domains" you listed above cannot exist, because they miss a TLD part, unless you create them in your own DNS server or in your local hosts files, or unless there are related DNS search suffixes defined, building a TLD part.

    Same as with analyzing any other network traffic, you run a kind of network sniffer within your network.  Then you filter by port 53 (= DNS).  Also some routers support logging network traffic.  At least you can identify the device with this, but still not the software.  You had to run an OS specific tool on this device then.

Please sign in to leave a comment.