Reverse DNS Reconnaissance not detected

%3CLINGO-SUB%20id%3D%22lingo-sub-131916%22%20slang%3D%22en-US%22%3EReverse%20DNS%20Reconnaissance%20not%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-131916%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20try%20to%20dump%20the%20DNS%20reverse%20lookup%20zone%20ATP%20will%20not%20raise%20an%20issue.%20If%20you%20execute%20the%20following%20command%20for%20your%20IP%20Subnet%20it%20is%20undetected%20by%20ATP%20and%20an%20attacker%20will%20have%20all%20your%20IP%20Address%20and%20Servername%20combinations%3A%3C%2FP%3E%0A%3CPRE%3Efor%20%2FL%20%25i%20in%20(1%2C1%2C255)%20do%20%40nslookup%2010.1.1.%25i%202%26gt%3Bnul%20%7C%20find%20%22Name%22%20%26amp%3B%26amp%3B%20echo%2010.1.1.%25i%3C%2FPRE%3E%0A%3CP%3EIts%20nice%20that%20ATP%20will%20detect%20a%20full%20zone%20transfer%2C%20but%20I%20don%E2%80%99t%20think%20that%20an%20attacker%20will%20try%20to%20dump%20the%20entire%20zone%20of%20your%20active%20directory%20domain%20because%20in%20every%20%E2%80%9Cdefault%E2%80%9D%20DNS%20installation%20this%20will%20not%20be%20possible.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20using%20the%20reverse%20brute%20force%20DNS%20method%20is%20more%20useful%20you%20will%20provide%20a%20lot%20of%20useful%20information.%20I%20would%20recommend%20that%20ATP%20and%20ATA%20should%20detect%20such%20a%20%E2%80%9Cattack%E2%80%9D%20or%20Reconnaissance%20%3CA%20href%3D%22https%3A%2F%2Fwww.dict.cc%2Fenglisch-deutsch%2Ftechnique.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etechnique%3C%2FA%3E.%20I%20think%20its%20easy%20to%20detect%20a%20lot%20of%20follow%20up%20DNS%20queries%20from%20one%20client%20or%20to%20learn%20how%20many%20queries%20are%20%E2%80%9Cusual%E2%80%9D%20from%20a%20specific%20client%20and%20use%20this%20information%20for%20detecting%20unusual%20behaviors.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132023%22%20slang%3D%22en-US%22%3ERe%3A%20Reverse%20DNS%20Reconnaissance%20not%20detected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132023%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20feedback%20Stefan.%20%3CBR%20%2F%3E%3CBR%20%2F%3EDon't%20forget%20however%2C%20that%20even%20failed%20DNS%20recon%20attempts%20generate%20alerts%2C%26nbsp%3Band%20we%20do%20see%20attackers%20attempting%20these%20types%20of%20queries%20whether%20they%20are%20successful%20or%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

If you try to dump the DNS reverse lookup zone ATP will not raise an issue. If you execute the following command for your IP Subnet it is undetected by ATP and an attacker will have all your IP Address and Servername combinations:

for /L %i in (1,1,255) do @nslookup 10.1.1.%i 2>nul | find "Name" && echo 10.1.1.%i

Its nice that ATP will detect a full zone transfer, but I don’t think that an attacker will try to dump the entire zone of your active directory domain because in every “default” DNS installation this will not be possible.

 

But using the reverse brute force DNS method is more useful you will provide a lot of useful information. I would recommend that ATP and ATA should detect such a “attack” or Reconnaissance technique. I think its easy to detect a lot of follow up DNS queries from one client or to learn how many queries are “usual” from a specific client and use this information for detecting unusual behaviors.

1 Reply
Highlighted

Thanks for the feedback Stefan.

Don't forget however, that even failed DNS recon attempts generate alerts, and we do see attackers attempting these types of queries whether they are successful or not.