Detection Of DNS Tunnels


This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. Deprecated because existing detection is doing the same.


Detection Of DNS Tunnels Help

To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the NetworkResolution data model. Fields like srccategory are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the cim_corporate_web_domain_search() macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.


Open in Search