Skip to main content
Splunk Lantern

DNS queries to randomized subdomains

You might want to see what DNS queries to unusually random subdomains occur on your network when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You have a hypothesis that you can find suspicious domains in DNS. You want to examine the domain or subdomain fields in your Splunk instance in an attempt to find high levels of Shannon entropy (randomness) or potentially dissect the various aspects of the FQDN. 

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream DNS data. You can replace this source with any other DNS data used in your organization.

  1. Run the following search: 
sourcetype=stream:dns host=<host name> record_type=A
|table query{}
|lookup ut_parse_extended_lookup url AS query{}
|search ut_domain!=None NOT (ut_domain_without_tld=microsoft OR ut_domain_without_tld=msn OR ut_domain_without_tld=windows.com OR ut_domain_without_tld=qwest.net)
|`ut_shannon(ut_subdomain)`
|stats count BY query{} ut_subdomain ut_domain ut_domain_without_tld ut_tld ut_shannon
|sort - ut_shannon

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:dns

Search only Stream DNS data.

host=<host name> 

Search data from a specified host only.

 

record_type=A

Search only DNS A records, which return IPv4 addresses.

|table query{}

Display the results in a table with the query{} column.

|lookup ut_parse_extended_lookup url AS query{}

Look up URLs in the ut_parse_extended_lookup file and display them in the query{} field.

|search ut_domain!=None NOT (ut_domain_without_tld=microsoft OR ut_domain_without_tld=msn OR ut_domain_without_tld=windows.com OR ut_domain_without_tld=qwest.net)

Filter out domains without a top level domain and that match the common ones listed.

|`ut_shannon(ut_subdomain)`

Calculate the entropy score for only the subdomain.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

|stats count BY query{} ut_subdomain ut_domain ut_domain_without_tld ut_tld ut_shannon

Calculate the number of times each URL appears in the search results and display the count, along with all the parsed fields from the URL and the Shannon entropy score for the subdomain.

|sort - ut_shannon

Sort the table with the highest entropy score first.

Result

You can reduce the number of results by using filters to eliminate common domains or subdomains that you know are safe. After you have a list of suspicious subdomains, pivot back to the systems generating these DNS requests to find threats.

  • Was this article helpful?