0

Our Cisco Umbrella service is identifying DNS requests to rev1.globalrootservers.net and rev2.globalrootservers.net as malicious. I am trying to figure out whether this is really a problem or if it is a false positive. Below is all the troubleshooting I have performed.

The sole indicators of maliciousness are OpenDNS stating the globalrootservers.net domain is malware and VirusTotal-Fortinet is reporting malware as well for the rev2.globalrootservers.net. All pointers for the rev1 and rev2 DNS names currently point to 0.0.0.0 as the IP.

The otx.alienvault.com passive DNS entries for globalrootservers.net (Figure 3) change from time to time and IPs resolve to various non-reputable domains.

Since we do not have the Umbrella VA deployed, I cleared the cache and turned on DNS logging on both domain controllers. I caught evidence of the DNS hit from only the 2016 domain controller. After capturing the request and response (Figures 1 and 2) multiple times over many days, it never came from the 2012 domain controller. It looks like the source is our 2016 domain controller and I can’t figure out why this is. I have included the entries below if anyone can tell me this is correct.

Figure 1: DNS Request
enter image description here

Figure 2: DNS Response
enter image description here

I then go to the 2016 Domain Controller cache and look at the entries. The entries from the in-addr folder are below. Can someone help me in understanding what this means?

Since the rev1.globalrootservers.net and rev2.globalrootservers.net entries are the child of the DNS parents (which indicate afrinic.net, lacnic.net, apnic.net, ripe.net and arin.net), is this nothing to worry about?

Figure 3:Parent cache entry
enter image description here
Figure 4:Rev1 and Rev2 child entries
enter image description here
Figure 5: Properties of rev1 and rev2
enter image description here

Furthermore, when looking up the IP address located in the properties of the rev1 and rev2 cache, it points to Microsoft which is a Azure SQL Managed Instance within the 20.64.0.0/10 IP range.

I would greatly appreciate any assistance in identifying if this is a real problem, a solution or to further my troubleshooting. Thank you!

user611054
  • 29
  • 3
  • " I was unable to post more than 8 links. " Don't use links to images. Instead write AS TEXT the useful content. You should not expect anyone having a look at all of them to address your question, your text should be self consistent with everything in it needed to answer it. – Patrick Mevzek Jan 07 '21 at 20:41
  • 1
    What is true is that "globalrootservers.net" are not official IANA root servers (those live in `root-servers.net`) – Patrick Mevzek Jan 07 '21 at 20:44
  • Hey Patrick, thanks for the feedback. I have edited the post and included images I think are needed. I understand that these are not official IANA root servers, but from the reverse dns cache entries, what does the parent to child relationship mean? I can't find anywhere that will accurately explain this to me. Thanks for your help. – user611054 Jan 07 '21 at 21:18

1 Answers1

0

I finally found the problem after days of collecting logs. The initiating request is occurring from 85.93.20.247:8080. The firewall blocks the request and a little later attempts to perform a reverse lookup on the IP. It can't be resolved and ends up going to root hint resolvers on our DNS server which finally resolves it to rev1.globalrootservers.net and rev2.globalrootservers.net. Our DNS server then performs a lookup on the domains and OpenDNS flags it as malware.

To prevent this type of thing from happening again, I I disabled the "Use root hints if no forwarders are available" checkbox under the forwarders tab in the DNS properties to prohibit the use of the root hints. We want to only use OpenDNS and other vetted DNS servers instead of the root hints. If those DNS forwarders don't resolve the domain, we don't want the domain resolved.

user611054
  • 29
  • 3