DNS Tunneling Detection

Identifies potential DNS tunneling by detecting unusually long DNS query names or high query frequency to a single domain.

NetworkdnstunnelingexfiltrationnetworkT1071.004

Network advancedpor SOC Team 1 min read

Query

EventType = "DnsRequest"
| DomainName = /\.[a-z]{2,}\.[a-z]{2,}$/
| eval(domainLength = length(DomainName))
| domainLength > 50 OR LabelCount > 5
| groupBy([DomainName, SourceIP], function=count())
| sort(field=_count, order=desc)
| head(50)

Explicación

| Pipe | Descripción | |---|---| | `EventType = "DnsRequest"` | Filtra eventos DNS | | `eval(domainLength = ...)` | Calcula longitud del dominio | | `domainLength > 50 OR LabelCount > 5` | Indicadores de tunneling | | `groupBy(...)` | Agrupa por dominio y origen | | `head(50)` | Limita resultados |

Variables a ajustar

- `domainLength > 50`: Ajustar según dominios legítimos largos en el entorno - `LabelCount > 5`: Subdominios excesivos son indicador de tunneling - Agregar `NOT DomainName = /google.com$/` para excluir dominios conocidos