Query Details
11 CSL DNS Tunneling Long Hostnames
Query
id: e1f2a3b4-c5d6-4e7f-8a9b-0c1d2e3f4a5b
name: "DNS Tunneling Indicators - Anomalously Long Hostnames"
version: 1.0.0
kind: Scheduled
description: |
Detects potential DNS tunneling by identifying DNS queries with hostnames longer than
50 characters or with more than 5 subdomain levels. Tools like dnscat2, iodine, and
DNScat encode arbitrary data into the subdomain portion of DNS queries, resulting in
unusually long, structured hostnames. These patterns evade traditional traffic inspection
but are visible in firewall DNS logs.
MITRE ATT&CK: T1071.004 (Application Layer Protocol: DNS)
severity: High
requiredDataConnectors:
- connectorId: CommonSecurityEvents
dataTypes:
- CommonSecurityLog
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
- Exfiltration
relevantTechniques:
- T1071
query: |
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where Protocol in ("DNS", "dns") or DestinationPort == 53
| where isnotempty(DestinationHostName)
| extend
SubdomainLength = strlen(DestinationHostName),
SubdomainParts = countof(DestinationHostName, ".")
| where SubdomainLength > 50 or SubdomainParts > 5
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(DestinationHostName),
LongestQuery = max(SubdomainLength),
SampleHosts = make_set(DestinationHostName, 10),
SourceIPs = make_set(SourceIP, 10)
by SourceIP, DeviceVendor
| where QueryCount > 10
| order by LongestQuery desc, QueryCount desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
customDetails:
QueryCount: QueryCount
LongestQuery: LongestQuery
UniqueSubdomains: UniqueSubdomains
alertDetailsOverride:
alertDisplayNameFormat: "DNS Tunneling Suspect - {{SourceIP}} ({{LongestQuery}}-char queries)"
alertDescriptionFormat: "Host {{SourceIP}} made {{QueryCount}} DNS queries with max hostname length {{LongestQuery}} chars. Abnormal subdomain structure is consistent with DNS tunneling tools."
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- IP
groupByAlertDetails: []
groupByCustomDetails: []
Explanation
This query is designed to detect potential DNS tunneling activities by analyzing DNS queries for unusual patterns. Here's a simplified breakdown:
-
Purpose: The query identifies DNS queries with hostnames that are suspiciously long (over 50 characters) or have more than 5 subdomain levels. These characteristics are typical of DNS tunneling, where data is encoded into DNS queries to evade detection.
-
Data Source: It uses logs from security devices like Fortinet, Palo Alto Networks, and Zscaler, focusing on DNS traffic (port 53).
-
Time Frame: The analysis covers DNS logs from the past day and runs every hour.
-
Detection Logic:
- It calculates the length of each hostname and the number of subdomains.
- It flags hostnames that exceed the specified length or subdomain count.
- It summarizes the data by counting the number of queries and unique subdomains, identifying the longest query, and listing sample hostnames and source IPs.
-
Alert Criteria: An alert is triggered if a source IP makes more than 10 such queries. The alert includes details like the source IP, the number of queries, and the longest hostname length.
-
Severity and Tactics: The alert is marked as high severity and relates to tactics like Command and Control and Exfiltration, aligning with MITRE ATT&CK technique T1071.004.
-
Incident Management: If an alert is triggered, an incident is created, grouping similar alerts by IP address to manage them efficiently.
In essence, this query helps identify potential misuse of DNS for covert data transmission, which could indicate malicious activity.
Details
David Alonso
Released: March 2, 2026
Tables
Keywords
Operators