NF – Punycode domain lookup to COM,DK domains

This alert is triggered when a client initiates an SSL/TLS connection (typically on port 443) to an external server, and the certificate contains a domain name using Punycode that translates to .com or .dk. Punycode encoding is used in internationalized domain names, but it can also be exploited in phishing attacks by creating visually similar domains

Categories:

ID Number

5023351

Signature

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - Punycode domain lookup to COM,DK domains"; detection_filter:track by_dst, count 2, seconds 2; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/xn--[a-z0-9\-]{1,256}(.com|.dk)/i"; reference:url,www.xudongz.com/blog/2017/idn-phishing; reference:url,networkforensic.dk; metadata:18042017; classtype:bad-unknown; sid:5023351; rev:1;)

Severity

Low

Recommendations/Investigative actions

Check the source of the query: Identify which device or process initiated the DNS request, as it may indicate an unauthorized or suspicious activity. Block further queries to the domain: Prevent the device from making additional DNS requests to this domain to mitigate potential threats. Investigate the device for signs of phishing or malware: Examine the initiating device to determine if it has been compromised or if it interacted with a phishing site.