This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what could be the possible reasons for rapid DNS requests on the same hostname

0

In a malware pcap file, saw a client keep doing DNS requests on the same hostname, wonder what could be happening? Any theories?

Here is the pcap: https://www.dropbox.com/s/3a43pp28t067lyy/consecutiveDnsReqs.pcap?dl=0

alt text

asked 02 May '16, 10:08

pktUser1001's gravatar image

pktUser1001
201495054
accept rate: 12%


One Answer:

0

Most likely caused by a program that doesn't cache results, or which is simply coded to check for this name all the time (for whatever reason, but it ain't for stealth).

answered 02 May '16, 11:00

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

That's possible, but my problem is why the client didn't do anything (for example, start a new TCP connection) after getting the DNS response, instead it immediately sent the same DNS request.

(02 May '16, 11:18) pktUser1001

Maybe the DNS reply is a signal and the malware will only communicate when a certain IP is returned. This sometimes happens to avoid putting suspicious TCP/UDP traffic on the internet link when there's nothing the C&C servers want to tell their bots. Mostly they return loopback IPs for those DNS queries, though (or used to), but loopback answers are suspicious enough on their own.

In the end, you can't tell without reverse engineering the binary that did the name lookups.

Again, asking for the same thing in such a quick way is stupid.

(02 May '16, 11:27) Jasper ♦♦