Bad DNS Detection


I’m setting up bro IDS recently. I will listen DNS traffic by span port but I wonder, how can I detect malwares and victim clients that is used bad DNS in network?


This script that I wrote a while ago may help:

It creates an external_dns.log file (which is just dns.log that has been pre-filtered for you) as well as raising notices when it detects clients using external dns servers.

external-dns.bro (2.67 KB)

Hi Justin,

Thanks but I need a code or configuration that is query the malware dns/ip sources that is trying to connect and raising notices.

Or how do you realise in your network malwared DDoS clients with the Bro?


This will get you there:

also, not bro related, but graphically shows what you’re looking for:


Hi James,

Maltrail is a wonderful tool that I’m looking for.