DNS Tunneling Indicators - Anomalously Long Hostnames
11 CSL DNS Tunneling Long Hostnames
Query
CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where Protocol in ("DNS", "dns") or DestinationPort == 53
| where isnotempty(DestinationHostName)
| extend
SubdomainLength = strlen(DestinationHostName),
SubdomainParts = countof(DestinationHostName, ".")
| where SubdomainLength > 50 or SubdomainParts > 5
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(DestinationHostName),
LongestQuery = max(SubdomainLength),
SampleHosts = make_set(DestinationHostName, 10),
SourceIPs = make_set(SourceIP, 10)
by SourceIP, DeviceVendor
| where QueryCount > 10
| order by LongestQuery desc, QueryCount descExplanation
This query is designed to detect potential DNS tunneling activities by analyzing DNS queries for unusual patterns. Here's a simplified breakdown:
-
Purpose: The query identifies DNS queries with hostnames that are suspiciously long (over 50 characters) or have more than 5 subdomain levels. These characteristics are typical of DNS tunneling, where data is encoded into DNS queries to evade detection.
-
Data Source: It uses logs from security devices like Fortinet, Palo Alto Networks, and Zscaler, focusing on DNS traffic (port 53).
-
Time Frame: The analysis covers DNS logs from the past day and runs every hour.
-
Detection Logic:
- It calculates the length of each hostname and the number of subdomains.
- It flags hostnames that exceed the specified length or subdomain count.
- It summarizes the data by counting the number of queries and unique subdomains, identifying the longest query, and listing sample hostnames and source IPs.
-
Alert Criteria: An alert is triggered if a source IP makes more than 10 such queries. The alert includes details like the source IP, the number of queries, and the longest hostname length.
-
Severity and Tactics: The alert is marked as high severity and relates to tactics like Command and Control and Exfiltration, aligning with MITRE ATT&CK technique T1071.004.
-
Incident Management: If an alert is triggered, an incident is created, grouping similar alerts by IP address to manage them efficiently.
In essence, this query helps identify potential misuse of DNS for covert data transmission, which could indicate malicious activity.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1d