Detect Long DNS TXT Record Response
This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic.
This content is not mapped to any local saved search. Add mapping
Detect Long DNS TXT Record Response Help
This search uses the Network_Resolution data model and gathers all the answers to DNS queries for TXT records. The query then looks at the answer section and calculates the length of the answer. The search will then return information for those responses that exceed 100 characters in length.