Skip to main content
Lantern Home
 
 
Splunk Lantern

DNS queries to randomized subdomains

  1. Last updated
  2. Save as PDF

 

You have a hypothesis that you can find suspicious domains in DNS. You want to examine the domain or subdomain fields in your Splunk instance in an attempt to find high levels of Shannon entropy (randomness) or potentially dissect the various aspects of the FQDN.

Required data

DNS data

Procedure

This sample search uses Stream DNS data. You can replace this source with any other DNS data used in your organization. In addition, you must install the URL toolbox app for this search to work.

Run the following search. You can optimize it by specifying an index and adjusting the time range.  

sourcetype=stream:dns host=<host name> record_type=A
|table query{}
|lookup ut_parse_extended_lookup url AS query{}
|search ut_domain!=None NOT (ut_domain_without_tld=microsoft OR ut_domain_without_tld=msn OR ut_domain_without_tld=windows.com OR ut_domain_without_tld=qwest.net)
|`ut_shannon(ut_subdomain)`
|stats count BY query{} ut_subdomain ut_domain ut_domain_without_tld ut_tld ut_shannon
|sort - ut_shannon

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=stream:dns

Search only Stream DNS data.

host=<host name> 

Search data from a specified host only.

 

record_type=A

Search only DNS A records, which return IPv4 addresses.

|table query{}

Display the results in a table with the query{} column.

|lookup ut_parse_extended_lookup url AS query{}

Look up URLs in the ut_parse_extended_lookup file and display them in the query{} field.

|search ut_domain!=None NOT (ut_domain_without_tld=microsoft OR ut_domain_without_tld=msn OR ut_domain_without_tld=windows.com OR ut_domain_without_tld=qwest.net)

Filter out domains without a top level domain and that match the common ones listed.

|`ut_shannon(ut_subdomain)`

Calculate the entropy score for only the subdomain.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

|stats count BY query{} ut_subdomain ut_domain ut_domain_without_tld ut_tld ut_shannon

Calculate the number of times each URL appears in the search results and display the count, along with all the parsed fields from the URL and the Shannon entropy score for the subdomain.

|sort - ut_shannon

Sort the table with the highest entropy score first.

Next steps

You can reduce the number of results by using filters to eliminate common domains or subdomains that you know are safe. After you have a list of suspicious subdomains, pivot back to the systems generating these DNS requests to find threats.

Finally, you might be interested in other processes associated with these use cases: