Sinkhole DNS report

This report lists DNS queries seen from recursive DNS servers for sinkholed domains. Please note that the IP listed are not the same as the actual source IP of the client that is making the query and hence are likely not infected hosts. This report therefore is to be used primarily to support investigations into a threat, and not as a source of direct identification of infected  hosts.

Subsequent IP connecting (such as HTTP connections) to the sinkhole from infected machines are listed in the Sinkhole HTTP report and Sinkhole6 HTTP report.

The Sinkhole DNS report is not a default report.

Fields

  • timestamp
    Timestamp in UTC+0 of the DNS query
  • ip
    IP of the recursive resolver making the query
  • port
    Source port of the query
  • host
    Hostname (PTR record) of the IP of the recursive resolver making the query
  • asn
    ASN of the recursive resolver
  • geo
    Country location of the recursive resolver
  • type
    DNS query type (eg. NS, SOA, A)
  • count
    Amount of queries seen
  • query
    Sinkholed domain name being queried
  • response
    Response to query
  • tag
    Tagging information, such as information on which threat is associated with the sinkholed domain
  • naics
    North American Industry Classification System Code
  • region
    State / Province / Administrative region where the recursive resolver resides
  • sector
    Sector classification of IP space where the recursive resolver resides

Sample

"timestamp","ip","port","host","asn","geo","type","count","query","response","tag","naics","region","sector"
"2020-12-21 00:00:00","217.31.x.x",40159,,25192,"CZ","A",1,"4.wiNsrw.Com",,"boaxxe",0,"PRAHA",
"2020-12-21 00:00:01","172.217.x.x",45842,,15169,"CA","A",1,"mangomediaads.rtb-useast.ak-is.net",,"kovter",519130,"QUEBEC","Information Technology"
"2020-12-21 00:00:02","213.140.x.x",54128,,35432,"CY","A",1,"1.WiNSrW.Com",,"boaxxe",0,"LEFKOSIA",
"2020-12-21 00:00:02","213.140.x.x",33928,,35432,"CY","A",1,"5.WiNSRw.CoM",,"boaxxe",0,"LEFKOSIA",
"2020-12-21 00:00:05","67.215.x.x",21631,,36692,"SG","A",1,"7-3-1-8-7-6-3-0-1-1-4-3-0-2-5-7-4-1-8-3-2-6-1-4-2-7-5-3-3-7-5-.0-0-0-0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info",,"tsifiri",0,"CENTRAL","Communications"
"2020-12-21 00:00:06","43.252.x.x",62937,,38044,"MY","A",1,"3-7-4-0-6-5-5-0-6-6-8-3-7-1-3-2-8-5-4-6-6-6-6-1-1-4-6-5-5-8-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-5-0-0-0-0-0-0-0-0-0-0-0-0-0.info",,"tsifiri",0,"SABAH","Communications"

Our 87 Report Types