KQL Search

Query Details

13 DNS NULL ANY Tunneling

Query

id: a1b2c3d4-0013-4a5b-8c9d-dns013null
name: NULL and ANY DNS Record Type Queries — Tunneling Indicator
description: |
  Detects queries for NULL (type 10) and ANY (type 255) DNS record types.
  These record types are almost exclusively used by DNS tunneling tools and
  have essentially no legitimate use in corporate environments:
  - NULL records: used by dnscrypt, dnscat2, and custom tunneling scripts;
    can carry arbitrary binary data (RFC 1035 type 10)
  - ANY queries: elicit all available records from a DNS server, maximizing
    the amplification factor; rarely used by end-user applications
  Note: RFC 8482 (2019) requires servers to respond minimally to ANY queries;
  continued use of these types is a strong anomaly signal.
  Differentiation from built-in "Potential DNS Tunnel (ASIM DNS)":
  The built-in evaluates query length and overall entropy across all record
  types but does not filter by record type. This rule fires exclusively on
  NULL and ANY record types, which have near-zero legitimate corporate use.
  Lower volume threshold (>=5 queries) is intentional: even a handful of
  NULL-type queries is highly suspicious, while the built-in requires
  sustained high query volume before firing.
severity: Medium
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CommandAndControl
  - Exfiltration
relevantTechniques:
  - T1071.004
tags:
  - NULL record
  - ANY query
  - DNS tunneling
  - dnscat2
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(1h)
  | where DnsQueryTypeName in~ ("NULL", "ANY")
        or DnsQueryType in (10, 255)
  | summarize
      NullAnyCount   = count(),
      UniqueDomains  = dcount(DnsQuery),
      RecordTypes    = make_set(DnsQueryTypeName),
      SampleDomains  = make_set(DnsQuery, 10),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
    by SrcIpAddr, SrcHostname
  | where NullAnyCount > 5
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
alertDetailsOverride:
  alertDisplayNameFormat: "NULL/ANY DNS Queries — {{SrcHostname}} sent {{NullAnyCount}} unusual record type queries"
  alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) sent {{NullAnyCount}} NULL/ANY DNS queries. These record types have no legitimate use in corporate environments and indicate potential DNS tunneling. Domains: {{SampleDomains}}"
customDetails:
  NullAnyCount: NullAnyCount
  RecordTypes: RecordTypes

Explanation

This query is designed to detect suspicious DNS queries that may indicate DNS tunneling, a technique often used for data exfiltration or command and control activities. Specifically, it looks for DNS queries of type "NULL" (type 10) and "ANY" (type 255), which are rarely used for legitimate purposes in corporate environments.

Here's a simplified breakdown of the query:

  1. Data Source: It uses data from Windows DNS logs, specifically the ASimDnsActivityLogs.

  2. Time Frame: The query checks for DNS activity in the past hour.

  3. DNS Query Types: It filters for DNS queries of type "NULL" or "ANY".

  4. Analysis:

    • Counts the number of such queries (NullAnyCount).
    • Counts the number of unique domains queried (UniqueDomains).
    • Lists the types of DNS records queried (RecordTypes).
    • Samples up to 10 domains queried (SampleDomains).
    • Records the first and last time these queries were seen.

  5. Threshold: It flags any source (IP or hostname) that has made more than 5 such queries in the past hour as suspicious.

  6. Alerting: If the threshold is met, it generates an alert with details about the source and the nature of the queries.

  7. Purpose: The query aims to identify potential DNS tunneling activities, which could be a sign of malicious activity, such as data exfiltration or unauthorized communication channels.

  8. Severity: The alert is classified with a medium severity level, indicating a significant but not critical threat.

  9. Tactics and Techniques: It aligns with tactics like Command and Control and Exfiltration, and specifically maps to technique T1071.004 (Application Layer Protocol: DNS).

Overall, this query helps security teams identify and investigate potential misuse of DNS queries that could indicate a security threat.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

Dns

Operators

ASimDnsActivityLogswherein~orinsummarizecountdcountmake_setminmaxby

Actions