DNS Data Exfiltration via Long Subdomain Labels
08 DNS Data Exfil Long Labels
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(24h)
| extend Labels = split(DnsQuery, ".")
| extend
Label0 = tostring(Labels[0]),
Label1 = tostring(Labels[1]),
Label2 = tostring(Labels[2])
| extend MaxLabelLen = max_of(strlen(Label0), strlen(Label1), strlen(Label2))
| where MaxLabelLen > 35
| extend QuerySize = strlen(DnsQuery)
| summarize
TotalQueries = count(),
EstimatedBytes = sum(QuerySize),
MaxLabelSeen = max(MaxLabelLen),
AvgLabelLen = round(avg(MaxLabelLen), 1),
SampleDomains = make_set(DnsQuery, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| extend EstimatedKB = round(todouble(EstimatedBytes) / 1024.0, 1)
| where EstimatedKB > 50Explanation
This query is designed to detect potential data exfiltration through DNS queries by identifying unusually long subdomain labels. Here's a simplified breakdown:
-
Purpose: The query aims to spot data being secretly sent out (exfiltrated) using DNS queries. Attackers might encode data into DNS subdomain labels to sneak it out, as DNS labels can be up to 63 characters long, but legitimate domains rarely use labels longer than 30-35 characters.
-
Detection Method:
- The query looks at DNS activity logs from the past 24 hours.
- It splits DNS queries into their subdomain parts and checks the length of each part.
- If any part is longer than 35 characters, it flags it as suspicious.
- It aggregates data to estimate the total amount of data sent by each client over 24 hours.
-
Indicators:
- A client sending more than 100KB of data via DNS in a day is considered a strong indicator of exfiltration.
- The query calculates the total number of queries, the estimated data volume in kilobytes, the longest label seen, and the average label length.
-
Alerting:
- If a client is found to have sent more than 50KB of data using long subdomain labels, an alert is triggered.
- The alert includes details like the hostname, IP address, number of queries, maximum and average label lengths, estimated data volume, and sample domains.
-
Relevance:
- This method is effective in catching "low-and-slow" data exfiltration attempts that might not be detected by other means.
- It aligns with MITRE ATT&CK techniques for exfiltration over unencrypted or obfuscated non-command-and-control protocols.
Overall, this query helps identify potential security breaches where data is being exfiltrated using DNS queries with unusually long subdomain labels.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 24h