High volume of reverse DNS lookups indicating scanning activity
Description
AlphaSOC detected high volume of reverse DNS lookups that may indicate reconnaissance activity. This behavior often involves rapid or systematic querying of DNS records by a port scanner, potentially to map out network infrastructure or identify potential targets. Such activity can be a precursor to more complex attacks.
Impact
Suspicious DNS lookup activity can lead to unauthorized information disclosure about network architecture, potentially exposing critical assets and vulnerabilities. This reconnaissance enables attackers to plan more sophisticated attacks, identify infrastructure vulnerabilities, and potentially discover misconfigurations or forgotten assets that could be exploited.
Severity
| Severity | Condition |
|---|---|
Medium | High volume of reverse DNS lookups to multiple destinations |
Investigation and Remediation
Investigate the source of the suspicious DNS queries, identifying the systems or users involved. Analyze the specific DNS records being queried and their frequency. If the activity is determined to be malicious, isolate the affected systems, review logs for signs of compromise, and consider implementing stricter DNS query controls.