Query Details

NULL and ANY DNS Record Type Queries — Tunneling Indicator

13 DNS NULL ANY Tunneling

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName in~ ("NULL", "ANY")
      or DnsQueryType in (10, 255)
| summarize
    NullAnyCount   = count(),
    UniqueDomains  = dcount(DnsQuery),
    RecordTypes    = make_set(DnsQueryTypeName),
    SampleDomains  = make_set(DnsQuery, 10),
    FirstSeen      = min(TimeGenerated),
    LastSeen       = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| where NullAnyCount > 5

Explanation

This query is designed to detect suspicious DNS queries that may indicate DNS tunneling, a technique often used for data exfiltration or command and control activities. Specifically, it looks for DNS queries of type "NULL" (type 10) and "ANY" (type 255), which are rarely used for legitimate purposes in corporate environments.

Here's a simplified breakdown of the query:

  1. Data Source: It uses data from Windows DNS logs, specifically the ASimDnsActivityLogs.

  2. Time Frame: The query checks for DNS activity in the past hour.

  3. DNS Query Types: It filters for DNS queries of type "NULL" or "ANY".

  4. Analysis:

    • Counts the number of such queries (NullAnyCount).
    • Counts the number of unique domains queried (UniqueDomains).
    • Lists the types of DNS records queried (RecordTypes).
    • Samples up to 10 domains queried (SampleDomains).
    • Records the first and last time these queries were seen.
  5. Threshold: It flags any source (IP or hostname) that has made more than 5 such queries in the past hour as suspicious.

  6. Alerting: If the threshold is met, it generates an alert with details about the source and the nature of the queries.

  7. Purpose: The query aims to identify potential DNS tunneling activities, which could be a sign of malicious activity, such as data exfiltration or unauthorized communication channels.

  8. Severity: The alert is classified with a medium severity level, indicating a significant but not critical threat.

  9. Tactics and Techniques: It aligns with tactics like Command and Control and Exfiltration, and specifically maps to technique T1071.004 (Application Layer Protocol: DNS).

Overall, this query helps security teams identify and investigate potential misuse of DNS queries that could indicate a security threat.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

Dns

Operators

ASimDnsActivityLogswherein~orinsummarizecountdcountmake_setminmaxby

Severity

Medium

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub