DNS Tunneling Investigation

When You See This

1. 1

   DNS analytics alert on high query volume (100+ queries/hour) from a single host to one domain

2. 2

   DNS query strings contain long, high-entropy subdomains (e.g., aGVsbG8gd29ybGQ.tunnel.evil.com)

3. 3

   Excessive TXT record queries from non-mail-server hosts

4. 4

   Network baseline deviation for DNS traffic volume from a specific endpoint

5. 5

   DNS response sizes significantly larger than typical A/AAAA responses

Investigation Steps

1. 1

   Analyze the DNS query patterns

   Pull all DNS queries from the suspect host to the suspect domain. Calculate the average query length, entropy of subdomains, query frequency, and record types requested. Normal DNS queries are short (< 30 chars) and infrequent. DNS tunneling queries are long (50-250 chars), frequent, and often use TXT or NULL record types.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=dns src_ip="suspect_host" query="*.suspect-domain.com" | eval query_length=len(query) | stats count, avg(query_length) as avg_len, max(query_length) as max_len, values(query_type) as record_types by query_domain

   index=dns src_ip="suspect_host" | stats count by query_domain | sort -count | head 20

   Decision Point

   If: Average query length > 50 characters AND query volume > 100/hour to a single domain

   Yes → Strong DNS tunneling indicators. Proceed to determine the tunneling tool and purpose.

   No → May be legitimate (CDN, ad networks, cloud services generate many DNS queries). Verify the domain reputation and purpose.

2. 2

   Identify the tunneling tool

   Different DNS tunneling tools have recognizable patterns. iodine uses NULL records and has a characteristic handshake. dnscat2 uses TXT or CNAME records with specific encoding patterns. Cobalt Strike DNS beacon uses A records with encoded hostnames. Identifying the tool helps determine attacker sophistication and capabilities.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=dns src_ip="suspect_host" query_domain="suspect-domain.com" | stats count by query_type | sort -count

   index=dns src_ip="suspect_host" query="*.suspect-domain.com" | head 50 | table _time, query, query_type, answer

3. 3

   Determine if data is being exfiltrated

   Calculate the total data volume being tunneled by summing query and response sizes. Compare with the time window to estimate throughput. DNS tunneling is slow (typically 10-50 KB/s) but can exfiltrate significant data over hours or days. If the total outbound data encoded in queries is substantial, this may be data exfiltration rather than just C2.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=dns src_ip="suspect_host" query="*.suspect-domain.com" | eval encoded_bytes=len(query)-len(query_domain)-1 | stats sum(encoded_bytes) as total_encoded_bytes, count | eval estimated_data_KB=round(total_encoded_bytes*0.75/1024,2)

4. 4

   Identify the source process

   Correlate the DNS queries with endpoint process data. Identify which process is generating the tunneling traffic. This may be a dropped binary, a legitimate tool being abused, or malware using DNS as its sole communication channel.

   XDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint dest_host="suspect_host" process_name!="svchost.exe" dns_query="*.suspect-domain.com" | stats count by process_name, process_path, process_hash

5. 5

   Block and contain

   Sinkhole or block the tunneling domain at the DNS resolver level. Add the domain to firewall deny lists. Isolate the affected host. If the DNS tunneling was being used for C2, the attacker loses control of the implant; but check for backup communication channels (HTTP, HTTPS) that may activate when DNS fails.

   FirewallSIEM

Common Mistakes

1. 1

   Dismissing high DNS query volume as normal without checking the query content and entropy

2. 2

   Blocking the DNS domain without identifying the source process; the malware remains on the host and may switch channels

3. 3

   Not calculating total data exfiltrated; even slow DNS tunneling can move gigabytes over days

4. 4

   Assuming DNS tunneling requires exotic tools; Cobalt Strike, one of the most common post-exploitation frameworks, has built-in DNS beaconing

Escalation Criteria

• Confirmed DNS tunneling with encoded data in queries

• Significant data volume estimated in the tunneling channel (suggesting exfiltration)

• The tunneling process is linked to a known malware family or C2 framework

Frequently Asked Questions

Why do attackers use DNS tunneling?

DNS traffic is rarely blocked or deeply inspected by firewalls and web proxies because it is essential for network operations. DNS tunneling lets attackers bypass security controls that focus on HTTP/HTTPS traffic. Even organizations with sophisticated network monitoring often have blind spots in DNS analysis. APT34 and other nation-state groups have used DNS tunneling for years because of this gap.

How fast is DNS tunneling?

DNS tunneling is slow compared to HTTP; typically 10-50 KB/s for data exfiltration. However, this is sufficient for stealing documents, credentials, or database exports over hours or days. For C2 communication, the low bandwidth is not a limitation because commands and responses are small.

How do I practice DNS tunneling detection?

SOCSimulator includes network scenarios with DNS tunneling patterns that you analyze in the SIEM and firewall consoles. Practice calculating query entropy and identifying tunneling signatures. Start free forever.