Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  DNS query using JSON

    Posted 09-03-2023 14:11

    Dear all,

    Greetings!!

    Hope you'll doing great!!

    We have received dns query using JSON & content type: application/dns-query or dns-message. Anyone could explain this what kind of traffic, whether it's normal DNS check or kind of DNS based attack.

    Disposition: none (whether need to report this kind of pattern)


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Jagadesh Kumar R
    Information Security Group, Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------


  • 2.  RE: DNS query using JSON

    Posted 09-03-2023 23:55

    Hey Jagadesh,

    I appreciate your post on the community. 

    1. DNS-over-HTTP (DoH) Inquiry:

    • You mentioned this seems like a DoH request, but the big question is, does the host actually support DNS queries via HTTP?

    2. Missing Payload Info:

    • In the first request, there's a "Content-Length" of 29 bytes, but we're missing the actual payload details. Can you provide that info?

    3. Malicious or Not?:

    • So far, it doesn't seem "malicious." But, if the host isn't set up for DoH, that's when it starts looking fishy. And also what is response code from webserver for this, this will give us more information whether it supports DOH.

    Feel free to share more details, and we'll keep this conversation going.



    ------------------------------
    Nikhil Nandode
    ------------------------------