I am getting these alerts from the Route 10 on a client network:
The Intrusion Detection System on HDC-Route10 has detected potentially malicious traffic.
Severity: High
Alert: ET INFO DNS Query for TOR Hidden Domain .onion Accessible Via TOR
Protocol: UDP
Source: 8.8.8.8:53
Destination: 192.168.10.5:60596
.5 is the Domain Controller that is also doing DNS/DHCP for the domain so I suspect it is not the culprit here as I have scanned it and it comes up clean…
Where can I find more info on the alert?
It looks like a device on the network attempted to resolve a .onion domain. .onion domains can only be resolved through the Tor network and will not work with normal DNS.
If your domain controller is handling DNS, you may be able to identify which device made the request by checking the DNS logs.
This type of request is often benign. Some applications or browser extensions will attempt to resolve .onion domains as part of link checking, connectivity testing, or automated scanning, even though the lookup will fail outside of Tor.
2 Likes
The Intrusion Detection System on HDC-Route10 (site HDC) has detected potentially malicious traffic.
Severity: High
Alert: ET INFO DNS Query for TOR Hidden Domain .onion Accessible Via TOR
Protocol: UDP
Source: 202.12.27.33:53
Destination: 192.168.10.5:60615
These are continuing, now with a different IP..?
It looks like another DNS request response to a request from your domain controller.
.onion domains will never resolve in the clear, only via TOR.
If you’d like to dig into it further, I would recommend checking your DC to see what device is requesting .onion DNS resolution. Additionally, you could also check for any TOR activity on your network on the Dashboard → Top Active Applications. Set it to 2M and sort by name to see if TOR is listed. You can also block TOR by pausing it or in Settings → Filter → Block Applications.