5017803

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - TLD domain - .cn DNS query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|CN|00|"; fast_pattern; nocase; distance:0; reference:url,networkforensic.dk meadata:20042015; classtype:bad-unknown; sid:5017803; rev:4;)

Low

Determine if access to Chinese domains is expected and necessary for your organization. If the query is not legitimate, investigate the source of the query to determine what caused it. If there is no business requirement for accessing Chinese domains, implement blocks or restrictions to mitigate potential security risks.