Breadcrumbs

Artifact Explanations

Status

  • The Status column shows the EnforceDNS verdict assigned to the domain. Options are:

    • Blocked: Red circle with line through it.

    • Highly Suspicious: Red bell.

    • Watch Engine: Yellow bell.

    • Permitted: Green bell.

    • No Status: Clear bell.

Date

  • This is the Date (YYYY/MM/DD) and Time (HH:MM) that the DNS query was seen in traffic.

A Record

  • An A Record, short for Address Record, is a type of DNS (Domain Name System) record that maps a domain or subdomain to an IPv4 address. It associates a specific hostname with the corresponding numerical IP address, allowing computers to locate and connect to each other on the internet.

AAAA

  • A Quad A or AAAA Record is similar to an A Record but is specifically used to map a domain or subdomain to an IPv6 address. While A Records are for IPv4 addresses, AAAA Records handle the mapping of domain names to IPv6 addresses, supporting the next generation of internet protocol.

Answer Country

  • Answer Country refers to the Country of origin for the A Record.

Client IP

  • This is the IP address captured as the source of the DNS query.

If you’ve deployed via the resolver, you’ll only see the egress/external/public IP address(s) and not private IPs. To see the private IP’s you must deploy via the Agent, MDE, SentinelOne or EnforceDNS Relay.

CNAME

  • A CNAME (Canonical Name) record is a DNS entry that allows one domain to be an alias for another. For example, if subdomain.example.com has a CNAME record pointing to anotherdomain.com, accessing subdomain.example.com would redirect to anotherdomain.com. While CNAMEs themselves are not inherently insecure, improper configuration or manipulation of CNAME records can pose security risks, such as in DNS-based attacks or subdomain takeovers. Security practices involve monitoring and validating DNS records to ensure their integrity and legitimacy.

CNAME FQDN

  • The CNAME FQDN is the Fully Qualified Domain Name for the CNAME.

CNAME TLD

  • This is the Top Level Domain of the CNAME. Looking at the domain examples used above for CNAME, the CNAME TLD for both subdomain.example.com and anotherdomain.com is .com.

Corporate Network

  • Corporate Networks are defined under Organization Settings> Source Networks. These are internal networks specified by Name and IP Address, and that are assigned a Policy.

Deployment Mode

  • Deployment Mode identifies whether an Organization is in Protection Mode (Blocking) or Inspection Mode (Non-blocking).

Device Name

  • This is the name of the device that made the DNS query. It can be helpful in identifying machines that are engaging in possible malicious activity or are infected with malware.

Device Name can only be viewed if deployed via the EnforceDNS Agent or MDE.

Domain

  • This is the Domain that devices are attempting to communicate with.

Domain Age

  • Domain Age refers to the length of time, in number of days, a specific domain has been registered and active on the internet. It is typically measured from the initial registration date to the present. The importance of domain age in deciding whether to visit a website lies in the notion that older domains often convey a sense of stability and credibility. When a domain has been in existence for an extended period, it suggests a history of legitimacy and reliability. In contrast, newer domains may be viewed with a bit more caution, as they have had less time to establish a reputation. This consideration becomes crucial in assessing the trustworthiness of a website and can be a factor in evaluating potential security risks before deciding to visit a domain.

Domain Category

  • Domain Category, or Website Category, refers to the classification of a domain based on its content or purpose. It helps users understand the nature of the website's content, whether it's news, education, e-commerce, or other types. Assessing the Domain Category is crucial for users to determine relevance and potential security risks associated with specific content types.

Domain TLD

  • Domain TLD, or Top-Level Domain, is the last segment of a domain name, located after the final dot. It signifies the domain's general purpose or origin. Examples include .com, .org, and .net. When deciding whether to visit a domain, considering its TLD is important. Different TLDs may suggest specific characteristics, such as .gov for government entities or .edu for educational institutions. Assessing the TLD helps users gauge the likely nature and trustworthiness of the website. It is also relevant in cybersecurity, as certain TLDs may be more prone to abuse or misuse. Therefore, understanding the Domain TLD is a key factor in making informed decisions about visiting a website.

Endpoint Type

  • The Endpoint Type records the operating system or platform from which the DNS query originated from. Endpoint Types include macOS, Windows, Android and iOS.

FQDN

  • An FQDN (Fully Qualified Domain Name) is a detailed internet address that specifies the exact location of a hostname within the domain name system hierarchy, encompassing both the host name and the full domain name, as exemplified by subdomain.example.com. When evaluating safety, it's essential to examine the full FQDN rather than just the domain alone. This is significant because a domain can host various hostnames, some of which might be malicious, and simply looking at the domain doesn't disclose the specific hostname being accessed. Subdomains might direct to different hosts than the main domain, distinguishing between, for instance, evil.example.com and the safe example.com. Additionally, websites may employ cloaking or geolocation to provide distinct content to different users, and the full FQDN unveils whether the connection is to a site tailored for a particular region or user type. The resolution by DNS of the full FQDN informs your device precisely which IP address to connect to, ensuring accuracy in destination.

FQDN Nameserver

  • The FQDN Nameserver is simply the Fully Qualified Domain Name of the Nameserver.

Group

  • A Group is one or more users who are assigned to a custom policy.

Nameserver

  • A Nameserver is a server that stores DNS records and responds to queries, essentially holding the map of which domains correspond to which IP addresses. When a client requests the IP address for a domain like example.com, the Nameserver responds, enabling the client to navigate to the website. Analyzing the Nameserver is vital for assessing the safety of visiting a domain. The reputation and legitimacy of the Nameserver directly impact the overall trustworthiness of the domain. Malicious actors might compromise Nameservers for redirecting traffic or fraudulent activities, underscoring the need to detect potential tampering. Evaluating the historical context and configuration integrity of Nameservers helps gauge the domain's security. Malicious Nameservers are susceptible to exploitation in DNS-related attacks, stressing the importance of Nameserver analysis in preventing phishing, fraud, and other risks. A comprehensive examination of the Nameserver offers crucial insights into the security and legitimacy of a domain, facilitating informed decisions about its safety.

Nameserver Country

  • The Nameserver Country refers to the geographical location or country associated with a specific DNS Nameserver. This information is often used to determine the physical location or origin of the server handling DNS requests for a particular domain. The Nameserver Country is typically identified based on the IP address of the DNS server.

It's important to note that while the Nameserver Country can provide an indication of the server's location, it doesn't necessarily reflect the physical location of the domain owner or the hosted content. DNS information is distributed globally, and the Nameserver Country is determined by the location of the DNS Server itself.

NS IP

  • The NS IP is the IP addresses associated with a Nameserver.

NS TLD

  • NS TLD is the Top Level Domain associated with the Nameserver.

Policy

  • This shows the Policy name that was used for the query. Organizations can create policies specific to their needs, as well as use the default policy available.

Process Name

  • In the context of EnforceDNS and DNS, Process Name refers to the process that initiated the outbound DNS query.

Process Names will only appear for select processes when deployed via the EnforceDNS Agent and only for those MDE events that include it. Generally MDE reports network and device events. Resolver-based deployments will not receive Process Name information.

Query Type

  • Query Type refers to the type of DNS query that is seen. Each type has a unique purpose as described below:

    • A (Address) Record:

      • Purpose: Resolves a domain name to an IPv4 address.

      • Example: Resolving example.com to its corresponding IPv4 address.

    • AAAA (IPv6 Address) Record:

      • Purpose: Similar to A record but for IPv6 addresses.

      • Example: Resolving a domain to its IPv6 address.

    • CNAME (Canonical Name) Record:

      • Purpose: Alias of one domain to another, often used for subdomains or load balancing.

      • Example: Resolving example.com to https://docs.example.com.

    • MX (Mail Exchange) Record:

      • Purpose: Specifies mail servers responsible for receiving emails on behalf of the domain.

      • Example: Identifying mail servers for a domain.

    • NS (Name Server) Record:

      • Purpose: Indicates authoritative DNS servers for the domain.

      • Example: Identifying the authoritative Name Servers for a domain.

    • PTR (Pointer) Record:

      • Purpose: Used for reverse DNS lookups, mapping an IP address to a domain.

      • Example: Resolving an IP address to its corresponding domain.

    • SOA (Start of Authority) Record:

      • Purpose: Contains information about the domain and the zone it's in.

      • Example: Storing administrative details, like the primary DNS server and contact email.

    • TXT (Text) Record:

      • Purpose: Holds text information associated with a domain. Commonly used for DNS-based verification.

      • Example: Storing SPF (Sender Policy Framework) records for email authentication.

    • SRV (Service) Record:

      • Purpose: Specifies information on available services within a domain, like SIP or XMPP.

      • Example: Identifying servers for a specific service.

    • DNSKEY (DNS Key) Record:

      • Purpose: Holds public keys used in DNSSEC (Domain Name System Security Extensions) to verify the authenticity of DNS data.

      • Example: Supporting DNS security through cryptographic keys.

Reason

  • The Reason column displays why the verdict was made. Reason examples:

    • threatER Engine: The EnforceDNS Decision Engine made the determination.

      • Applies to: Allowed, Blocked, Watch Engine, Highly Suspicious and No Verdict traffic.

    • Block List: The domain was added to a block list.

      • Applies to: Blocked traffic.

    • Allow List: The domain was added to an allow list.

      • Applies to: Allowed traffic.

Registrar

  • A Domain Registrar is a company that manages the reservation of domain names on the internet. They facilitate the process of purchasing and registering domain names for individuals or organizations. Additionally, Domain Registrars help maintain and update the domain's registration information in the domain name system (DNS) database.

Response Code

  • NXDomain: Stands for Non-Existent Domain. It indicates that the domain name in a DNS query does not exist and it was notable to be resolved to an IP address.

  • No Error: Indicates a successful DNS resolution without any errors or issues.

  • ServFail: This means that the Authoritative server has failed to provide a valid response for the requested domain.

  • NotImp: Abbreviation for Not Implemented. This error code indicates that the DNS server does not support the requested operation.

  • NotAuth: Stands for Not Authorized. This means that the DNS server is not authorized to provide the requested information.

Rule

  • The Rule column indicates when a rule has been applied to a domain through Policy Management.

Source Type

  • Source Type indicates the deployment type for the device that generated the query. Possible results include Source Network, MDE, EnforceDNS Agent, Relay, S1, and Corporate Network.

Tags

Tags are included for certain domains within EnforceDNS. The Tags are meant to add additional context into why the Decision Engine assigned the corresponding verdict. Please note that not all domains will have Tags associated. The availability of Tags will vary based on threatER’s overall knowledge of the domain. The absence of Tags does not indicate a lack of domain intelligence; it simply means that additional contextual information or specific categorization may not be present for every domain within the EnforceDNS platform.

  • Inarpa: Short for In-addr.arpa. Domain used in the Domain Name System (DNS) to perform reverse DNS lookups. This domain is used to map an IP address to a domain name. The term "in-addr" is short for "internet address," and "arpa" is a top-level domain.

  • Proxy: A proxy is an intermediary server or application that acts as a gateway between a user's device (such as a computer or smartphone) and the internet. It serves as a mediator for requests and responses, forwarding them on behalf of the user.

  • Suspicious Domain: A website or network address causing concern due to potential malicious or deceptive activities, such as phishing, malware distribution, or other cyber threats.

  • Suspicious IP: An IP address that raises concerns due to potential involvement in malicious or deceptive activities, such as cyber attacks, malware distribution, or other security threats.

  • Suspicious FQDN: A domain name indicating potential risk or malicious intent, often associated with phishing, scams, or illicit online activities, prompting caution in its use or interaction.

  • Suspicious Registrar: A domain registration service or entity raising concerns for its association with fraudulent or malicious activities, facilitating the creation of domains for phishing, scams, or illicit purposes.

  • Suspicious TLD: A domain extension causing concerns due to its association with potentially malicious or deceptive activities, often linked to higher instances of spam, phishing, or cyber threats.

  • Tor: Short for The Onion Router, is a privacy-focused network that enables anonymous communication over the Internet. It directs Internet traffic through a volunteer overlay network consisting of servers, or nodes, to conceal the user's identity and location. The name "onion" refers to the multiple layers of encryption applied to the data, enhancing security and privacy. Tor is often used for accessing websites anonymously and evading censorship, but it can also be misused for illicit activities due to its anonymity features.

  • VPN: A Virtual Private Network, is a secure and encrypted connection that allows users to access the internet while ensuring privacy and anonymity by masking their IP addresses. If the VPN tag is displayed, this means that a device is using a VPN to make outbound DNS requests.

Threats

  • When queries are categorized as Threats, the sub-category of assignment will appear here.

TTL

  • TTL stands for Time to Live. It represents the amount of time a DNS record is considered valid by caching servers or devices. When a device queries a DNS server for a specific domain's IP address, the server includes a TTL value in its response. This value indicates how long the information can be cached by the querying device before it needs to request the information again. Once the TTL expires, the device needs to perform a new DNS query to get the updated information.

Username

  • The Username assigned through MDE, SentinelOne, or the EnforceDNS Agent.