Attacker sends excessive or broad DNS queries (e.g., ANY, multiple subdomains) to map infrastructure and discover internal/external assets
Hunting
Statistics → Conversations → UDP
Statistics → Endpoints → IPv4
Statistics → Endpoints → IPv6
Statistics → Protocol Hierarchy
Red Flags
- High volume of DNS queries from single host
- Rapid sequential queries for many subdomains
ANYquery type requests- Long, random-looking subdomains (possible brute force)
- Queries to internal-only domains from unexpected host
- NXDOMAIN spike (many failed lookups)
Filters
# Show only DNS traffic
dns
# Isolate suspicious host
dns and ip.src == 192.168.10.5
# Detect AXFR (Zone Transfer)
dns.qry.type == 252
# Detect ANY queries
dns.qry.type == 255
# Unusually large DNS responses
dns and frame.len > 1000
# Detect high-frequency queries from one host
dns and ip.src == 192.168.10.5
# Detect NXDOMAIN responses
dns.flags.rcode == 3
# Detect long/random subdomains (bruteforce style)
dns.qry.name matches "^[A-Za-z0-9]{8,}\."
# Detect excessive queries to same domain
dns and dns.qry.name contains "targetdomain.com"