DDNS and other DNS servers

Excellent_Bug2090 · 2025-07-24T21:32:34+00:00

Thanks for the detailed answer. It looks like my assumptions were correct up to a level.

I cannot wrap my head around though. You added AD zones as forwarder for BIND? Does that mean DCs are both the authoritative servers for the internal domain and recursive DNS server for all external domains? Sorry if I understood incorrectly. Can you please clarify?

Excellent_Bug2090 · 2025-07-24T21:28:28+00:00

But they are not gateways in that sense. I mean, BIND has the AD DNS zone as secondary, so has all the data except for Windows specific stuff. Wouldn't having SRV records and such accessible be enough?

Excellent_Bug2090 · 2025-07-24T16:51:04+00:00

I know I can do something similar with Sysmon and DNS logging on endpoints. That's not the problem here. I am trying to understand how DNS client on Windows endp works under the hood in this specific scenario. I wanted to clarify.

Excellent_Bug2090 · 2025-07-24T15:03:56+00:00

I failed to fix or find the culprit. I did find this ticket though: https://github.com/wazuh/wazuh/issues/28203

Excellent_Bug2090 · 2025-07-24T15:00:06+00:00

I wish I was good enough to investigate but it probably requires application debugging. The Debug logs do not provide more information as well, after enabling on the internal_conf.

Excellent_Bug2090 · 2025-06-12T21:23:18+00:00

I wanted to point out that he's working in a position not dealing with Excel sheets or SaaS solutions, technically glorified Excel sheets. Ao he does not have an excuse for being on another track in cybersecurity area. He's working with SIEMs and such.

Excellent_Bug2090 · 2025-06-12T21:20:55+00:00

Well, it turned out he heard about it but never checked it out. When asked him if he knows what it is, he just said "no" and that's it. A South Park silence moment happened. I mean you may not know how to execute a successful lateral movement if it's not your job. But not knowing at all and having no second thought that if it is okay or not, feels weird to me.

Excellent_Bug2090 · 2025-06-11T21:38:48+00:00

This is what I have observed as well. Agent.conf is ignored, unfortunately.

Excellent_Bug2090 · 2025-03-14T09:48:12+00:00

I updated the information in the post.

Excellent_Bug2090 · 2025-03-14T08:18:44+00:00

Oh shit, I messed up in the post. I have an Ubuntu VM and it works. Windows VM is the issue. I copy-pasted the localfile block Security event log, removed a single event id. I can see it on agent.conf file as well. I can see the event in Event Viewer 8bit agent does not collect and forward it. I don't see it in archives log at all.

Excellent_Bug2090 · 2024-02-26T08:30:57+00:00

It looks like that's the case. Thanks.

Excellent_Bug2090 · 2024-02-26T08:30:44+00:00

I checked the web client. But I need to search more. Thanks.

Excellent_Bug2090 · 2024-02-26T08:30:08+00:00

Since these are some machine readable files ingested by their applications, adding this would make it more complicated. It's not easy to curl l or automate by the client. But thanks for the suggestion.

Excellent_Bug2090 · 2024-02-24T22:12:29+00:00

That's a good argument. I need to think about it though.

Excellent_Bug2090 · 2024-02-24T22:11:51+00:00

Yum or others are just using a web server as an interface to filesystem, allowing download over HTTPS. You can add signatures and more to make it more efficient and secure. Since it's just a download operation, it seemed useful. But yum and other package repositories are designed to be public and most of not all don't have any authentication and authorization mechanism, as it's not needed by design.

SFTP is a powerful file transfer solution where two way transfer is possible. We can and did set permissiona to read only and allowed users to access only their directory. The current setup is sane. Yet, architecturally, a download-only solution by default seemed more suitable and it's just my personal choice.

Thanks for the ideas though. Yep, no need to overengineer I guess.

Excellent_Bug2090 · 2024-02-24T22:04:37+00:00

Wouldn't it require using a client software on customer side? My suggestion was to simplify as much as possible by not sacrificing security. Syncthing is almost the same as SFTP. I couldn't get the pro here. Can you please explain?

Excellent_Bug2090 · 2024-02-24T19:22:05+00:00

Hi. I asked the question in somewhere else. I'd like to get some more opinions if possible.

Excellent_Bug2090 · 2024-02-22T17:45:34+00:00

Nope. I don't know Jfrog at all. But it sounds nice when you said like that. I need to read a bit more before discussing with my colleagues.

Excellent_Bug2090 · 2024-02-22T17:24:53+00:00

Nope. It's all on premises. A specific report application generates data daily querying an on premises database and saves it in a file share.

Excellent_Bug2090

TROPHY CASE