Internal hosts querying large number of DNS servers
This alert identifies internal hosts performing DNS queries against multiple DNS servers within a predefined time
MITRE ATT&CK Tactics
Firewall Traffic Logs
Valid software, which uses DNS for transferring data
Personal devices (BYOD) connected to Corporate network
Wireless connected devices may tend to generated a lot of DNS traffic to unsanctioned servers
1. Review internal system and identify any suspicious applications or processes running on it.
2. Perform a full AV/AM scan on the targeted machine.
3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server, and non-sanctioned DNS servers could be blocked
4. Additional review of the DNS servers events may be required to identify the source machine generating the high volume of DNS traffic.
5. Review the Corporate DNS & DHCP infrastructure and adjust any non-standard settings