Detect Long DNS Txt Record Response
Description
This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.
Content Mapping
This content is not mapped to any local saved search. Add mapping
Help |
---|
Detect Long DNS Txt Record Response HelpTo successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol. |
Search |
---|
Open in Search |