NF - TLD domain - .cc DNS query - iSID Analyst Knowledge Base

NF – TLD domain – .cc DNS query

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .cc, which is registered in the Cocos Islands, a group of islands in the Indian Ocean belonging to Australia. This Domain extension is often used as an alternative to the more common extensions such as .com or . net because it is easy to remember and easy to find.

Categories:

Radiflow

ID Number

5017804

Signature

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - TLD domain - .cc DNS query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|CC|00|"; fast_pattern; nocase; distance:0; reference:url,networkforensic.dk meadata:20042015; classtype:bad-unknown; sid:5017804; rev:4;)

Severity

Medium

Recommendations/Investigative actions

Identify which device made the DNS request to assess if it’s expected or potentially unauthorized. Consider blocking further queries to .cc domains. Investigate the device that initiated the query for signs of phishing, malware, or other suspicious behavior.