Our organization was notified with an alert from CIRA about an outbound DNS query performed by our RT server. I’ve been perusing several logs trying to identify when the query was made, but to no avail. Is there a specific log that would capture these outbound dns queries?
In terms of DNS RT is just a program on the server and it does not log DNS queries it makes. It uses your server DNS configuration to make the requests as needed. What you need to do is set up server level logging on DNS.
Unexpected outbound DNS queries can be indicators of malware, but its just as likely that it is some process on your system (RT perhaps) that does this when it send out emails (especially if your server send email out directly, without a relay via an email server).
Things to check:
- how is DNS resolution set up on your system - is it a local DNS server that resolves all queries or is there a set of DNS servers that are meant to do that for you?
- has DNS resolution configuration been changed recently?
- are there new hosts file entries?
- is the server shared with other services that might be sending or receiving emails or otherwise looking for name to IP or IP to name information?
Things you can do depending on your configuration :
- set up a set of local firewall rules (iptables/nftables ) to log all outbound port 53 and 953 traffic
- if you have a set of specific DNS servers that all servers have to use for DNS, do as above, but also block traffic to all but the allowed servers
- if you have a local DNS recursive resolver/server installed, turn on query logging (it will get very noisy and very big quickly) and then you can see what if being requested.
This is not the place to get into a full description of investigation. You might need to spend some time doing that
hope this helps