Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - Punycode domain lookup to COM,DK domains"; detection_filter:track by_dst, count 2, seconds 2; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/xn--[a-z0-9\-]{1,256}(.com|.dk)/i"; reference:url,www.xudongz.com/blog/2017/idn-phishing; reference:url,networkforensic.dk; metadata:18042017; classtype:bad-unknown; sid:5023351; rev:1;)
Recommendations/Investigative actions
Check the source of the query: Identify which device or process initiated the DNS request, as it may indicate an unauthorized or suspicious activity.
Block further queries to the domain: Prevent the device from making additional DNS requests to this domain to mitigate potential threats.
Investigate the device for signs of phishing or malware: Examine the initiating device to determine if it has been compromised or if it interacted with a phishing site.