Analyst Tip: Suspicious DNS Behavior
The following rules of thumb may be used to build analytics to search for suspicious DNS-related activity. I have provided references that support their use wherever possible.
Reference
Sudden short, large burst of queries for a domain Domain resolves to multiple IPs in different ASes, countries, and/or regions (A RRs) TTL changes over period of time Reference
IP assigned to domain changes frequenty over a period of time Reference…more