Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / DNS

DNS Tunneling

Attacker encodes and transmits data inside DNS queries (often TXT records or long subdomains) to exfiltrate data or maintain C2 communication

(Consistent High-Entropy Junk + Regular Timing)

Hunting

Statistics → Conversations → DNS

Red Flags

  • High volume of DNS TXT queries
  • Very long subdomain labels
  • Random/high-entropy domain strings
  • Repeated queries to same external domain
  • NXDOMAIN responses mixed with long queries
  • DNS over TCP (sometimes used for large payloads)
  • Base64-like patterns in DNS queries
  • One host dominating outbound DNS traffic

Filters

# Show DNS traffic
dns

# Isolate suspicious host
dns and ip.src == 192.168.10.5

# Detect A record queries
dns.qry.type == 1

# Detect TXT record queries
dns.qry.type == 16

# Long TXT queries
dns.resp.type == 16 and dns.txt.length > 30

# Detect unusually long domain names
dns.qry.name matches ".{40,}"

# Detect high-entropy / base64-like labels
dns.qry.name matches "[A-Za-z0-9+/]{20,}"

# Detect excessive DNS traffic from single host
dns and ip.src == 192.168.10.5

# DNS over TCP (large transfers)
dns and tcp.port == 53