Suspicious traffic to DNS server that supports non-ICANN TLDs

ID:alternate_dns

Data type:IP

Severity:

Medium

Description

AlphaSOC detected network traffic to a DNS server supporting non-ICANN Top-Level Domains (TLDs). This activity may indicate malicious behavior, as certain malware families use non-standard TLDs (e.g., .onion, .eth, .bazar) for command and control (C2) communication, domain generation algorithms (DGA), or DNS tunneling. These non-ICANN TLDs are often associated with attempts to evade detection and maintain covert communication channels.

Impact

Traffic to non-ICANN TLDs can signify an active malware infection or compromised system within the network. Adversaries may use these domains for data exfiltration, receiving commands, or maintaining persistence. This activity can lead to unauthorized access, data theft, and further network compromise if left unchecked.

Severity

Severity	Condition
Medium	Traffic to DNS server supporting non-ICANN TLDs

Investigation and Remediation

Investigate the source of the traffic and the specific non-ICANN TLD involved. Analyze the affected system for signs of compromise, including unusual processes, files, or network connections. If malicious activity is confirmed, isolate the system, perform a thorough malware scan, and consider reimaging the device. Update security policies to monitor and restrict access to non-ICANN TLDs where appropriate.

Known False Positives

Legitimate use of blockchain-related domains (e.g., .eth for Ethereum)
Intentional access to Tor network services (.onion domains)

Description​

Impact​

Severity​

Investigation and Remediation​

Known False Positives​

Description

Impact

Severity

Investigation and Remediation

Known False Positives