Query Details

DNS Tunneling via High-Volume TXT Record Queries

01 DNS Tunneling TXT High Volume

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName =~ "TXT"
| summarize
    TxtQueryCount  = count(),
    UniqueDomains  = dcount(DnsQuery),
    SampleDomains  = make_set(DnsQuery, 10),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| where TxtQueryCount > 100
| extend
    HostName = iif(isnotempty(SrcHostname), SrcHostname, SrcIpAddr),
    AlertDetail = strcat("Client sent ", tostring(TxtQueryCount),
                         " TXT queries across ", tostring(UniqueDomains), " unique domains")

Explanation

This query is designed to detect potential DNS tunneling activity by monitoring DNS queries for TXT records. DNS tunneling is a technique used by attackers to send data through DNS queries, often for command and control (C2) communication or data exfiltration. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies clients (computers or devices) that are making an unusually high number of DNS queries for TXT records, which can indicate the use of DNS tunneling tools like iodine, dnscat2, or Cobalt Strike.

  2. Detection Criteria: The query looks for clients that send 100 or more TXT record queries within a one-hour period. TXT records can hold up to 255 characters, making them suitable for carrying encoded data.

  3. Data Source: It uses data from Windows DNS logs, specifically focusing on DNS activity logs.

  4. Output: For each client detected, the query provides:

    • The total number of TXT queries made.
    • The number of unique domains queried.
    • A sample list of up to 10 domains queried.
    • The first and last time the queries were seen within the hour.
  5. Alerting: If a client meets the criteria, an alert is generated with details such as the number of TXT queries, the unique domains involved, and sample domains. The alert is tagged with relevant information about DNS tunneling and associated tools or threat actors.

  6. Severity and Tactics: The alert is marked with high severity and is associated with tactics like Command and Control and Exfiltration, which are common in cyber attacks.

Overall, this query helps security teams identify and investigate potential DNS tunneling activities by focusing on high-volume TXT record queries, which are often used in malicious activities.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsTunnelingTxtRecordsIodineDnscat2APT34OilRigHostIP

Operators

ago()=~summarizecount()dcount()make_set()min()max()by>extendiif()isnotempty()strcat()tostring()

Severity

High

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub