This note documents detection patterns related to DNS Abuse on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| Shell history | dig repeated external domains | DNS-based recon or beaconing | Critical | Frequency matters. |
| Shell history | nslookup unusual domains | Manual DNS probing | High | Common operator recon. |
| Shell history | host repeated queries | DNS enumeration | High | Often lightweight recon. |
| Shell history | dig txt | TXT retrieval | Critical | Common covert channel pattern. |
| Shell history | dig @ external resolver | Alternate resolver use | Critical | Bypass of normal DNS path. |
/etc/resolv.conf modified | DNS redirect | Critical | Strong stealth / control signal. | |
| Unusual resolver IP | Rogue DNS path | Critical | Strong anomaly. | |
| Long random subdomains | DNS tunneling | Critical | Very strong signal. | |
| Frequent TXT lookups | Covert retrieval | Critical | High suspicion. | |
auditd | resolver file write | Critical | Attribution. | |
| Network logs | high DNS burst | Critical | Tunnel / beacon clue. | |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| DNS burst after foothold | Recon or C2 stage | Critical | Strong chain. |
| TXT lookups plus payload staging | Covert retrieval | Critical | Mature operator behavior. |
| Resolver changed after root shell | Traffic control | Critical | Strong hostile sequence. |
| Random subdomain bursts | Tunneling likely | Critical | High-confidence anomaly. |
| DNS queries under service account | Suspicious context | Critical | Exploitation shell likely. |
Common Tools
| Tool | Usage |
|---|
dig | DNS query control. |
nslookup | Resolver probing. |
host | Lightweight lookup. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| Resolver config | /etc/resolv.conf | Critical | Core DNS control artifact. |
| Shell history | .bash_history | Critical | Query evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Attribution. |
| Network logs | DNS flows | Critical | Tunnel truth. |
MITRE ATT&CK References
- T1071.004 DNS
- T1046 Network Service Discovery
Decision Tree
- Which DNS tool used?
- Normal or external resolver?
- TXT or random subdomains?
- Resolver changed?
- Linked to payload or beacon?
Example Detection Templates
Grep
grep -R "dig \|nslookup \|host \|dig txt\|dig @" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep dns
File Inspection
cat /etc/resolv.conf
Sigma
title: Linux DNS Abuse
id: linux-dns-abuse
status: experimental
description: Detects suspicious DNS usage and resolver abuse
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'dig txt'
- 'nslookup'
- 'dig @'
condition: selection_keywords
level: high
tags:
- attack.command_and_control
- attack.t1071.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| DNS monitoring | Alert on unusual TXT bursts | Critical | Strong tunnel visibility. |
| Resolver control | Lock trusted resolvers | Critical | Prevents redirection. |
| Auditd | Track resolver file writes | High | Attribution. |
