question

Davood-3526 avatar image
0 Votes"
Davood-3526 asked LimitlessTechnology-2700 answered

What is the sl(0) in DNS logs as host name?

I was checking my DNS queries (with logs) and found that there is a lot of query as below with that Ip address but I can not understand why on port 80 and what is the (2)sl(0) as name/host name.


9/9/2021 7:43:24 AM 0CBC PACKET 00000000016E4F90 UDP Rcv 72.9.21.67 4567 Q [0001 D NOERROR] ALL (2)sl(0)
UDP question info at 00000000016E4F90
Socket = 336
Remote addr 72.9.21.67, port 80
Time Query=71848, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x001f (31)
Message:
XID 0x4567
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 1
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(2)sl(0)"
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
Offset = 0x0014, RR count = 0
Name "(0)"
TYPE OPT (41)
CLASS 65535
TTL 0
DLEN 0
DATA
Buffer Size = 65535
Rcode Ext = 0
Rcode Full = 0
Version = 0
Flags = 0




windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Davood-3526,

This is an external query to discover DNS query types with SL characters, this may have sense to you depending on the hostnames, address in your company.

If not, this may be part of a range scan for vulnerabilities, so the best option will be to set firewall to block inbound requests of that type. You can easily set it up with Powershell, running the New-NetfirewallRule cmdlet. Here you have some examples:

https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2019-ps

Hope this helps in your case,
Best regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mschiavon avatar image
0 Votes"
mschiavon answered Davood-3526 commented

simply the fqdn requested..

example:
(12)somecomputer(6)domain(3)com(0)

0=> .
COM=>3 char
DOMAIN=>6 char
SOMECOMPUTER=>12 char

in your case, (2)sl(0) :
0=>.
SL=>2 char


see this.. : https://serverfault.com/questions/684782/whats-in-the-dns-debug-log-message-fields


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I want to know is that a kind of attack or something? I have over 1000 recorded like this on the log file

0 Votes 0 ·
mschiavon avatar image
0 Votes"
mschiavon answered

May be.. someone is asking to your DNS record type "ALL" with fqdn "SL".
Could be "give me all you Source List" but the type "ALL" not exists in DNS (https://en.wikipedia.org/wiki/List_of_DNS_record_types) .
So, probably, is some one or a something that is trying.... Create a roule in your firewall to deny source 72.9.21.67 to tcp/udp 53

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.