Query Details

DNS Tunneling Indicators - Anomalously Long Hostnames

11 CSL DNS Tunneling Long Hostnames

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where Protocol in ("DNS", "dns") or DestinationPort == 53
| where isnotempty(DestinationHostName)
| extend
    SubdomainLength = strlen(DestinationHostName),
    SubdomainParts  = countof(DestinationHostName, ".")
| where SubdomainLength > 50 or SubdomainParts > 5
| summarize
    QueryCount       = count(),
    UniqueSubdomains = dcount(DestinationHostName),
    LongestQuery     = max(SubdomainLength),
    SampleHosts      = make_set(DestinationHostName, 10),
    SourceIPs        = make_set(SourceIP, 10)
  by SourceIP, DeviceVendor
| where QueryCount > 10
| order by LongestQuery desc, QueryCount desc

Explanation

This query is designed to detect potential DNS tunneling activities by analyzing DNS queries for unusual patterns. Here's a simplified breakdown:

  1. Purpose: The query identifies DNS queries with hostnames that are suspiciously long (over 50 characters) or have more than 5 subdomain levels. These characteristics are typical of DNS tunneling, where data is encoded into DNS queries to evade detection.

  2. Data Source: It uses logs from security devices like Fortinet, Palo Alto Networks, and Zscaler, focusing on DNS traffic (port 53).

  3. Time Frame: The analysis covers DNS logs from the past day and runs every hour.

  4. Detection Logic:

    • It calculates the length of each hostname and the number of subdomains.
    • It flags hostnames that exceed the specified length or subdomain count.
    • It summarizes the data by counting the number of queries and unique subdomains, identifying the longest query, and listing sample hostnames and source IPs.
  5. Alert Criteria: An alert is triggered if a source IP makes more than 10 such queries. The alert includes details like the source IP, the number of queries, and the longest hostname length.

  6. Severity and Tactics: The alert is marked as high severity and relates to tactics like Command and Control and Exfiltration, aligning with MITRE ATT&CK technique T1071.004.

  7. Incident Management: If an alert is triggered, an incident is created, grouping similar alerts by IP address to manage them efficiently.

In essence, this query helps identify potential misuse of DNS for covert data transmission, which could indicate malicious activity.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDevicesDNSHostnamesSubdomainsSourceIP

Operators

agoinorisnotemptyextendstrlencountofsummarizecountdcountmaxmake_setbyorder bydesc

Severity

High

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub