Interpreting DNS logs (1000s .WIN TLD DNS requests seen in logs)

Comments

1 comment

  • Avatar
    rotblitz (Edited )

    All information listed in your stats and logs result from DNS queries of networking applications within your network.  We cannot know what applications you are running.

    Did you mean "Domain generation algorithm" by DGA?  This is rather not DGA, else the domain names would be more random, not such lexical words.

    According to https://en.wikipedia.org/wiki/.win, .win is a generic top-level domain managed by Famous Four Media[1] of Gibraltar,[2][3] who pitch it as a memorable gTLD for "online gaming resources and services". 

    And this symptom could really be related also to malware or ransomware.  I.e. one or more of your networking apps could be malicious.  You could block the whole TLD by entering win into your "always block" list.  The DNS queries will still be listed (as being blocked), but it is ensured that no malicious application can phone home, because it can no longer obtain the needed IP addresses.  Going further, you should try to identify the source (networking app) to eliminate it.

    0
    Comment actions Permalink

Please sign in to leave a comment.