# long\_dns\_connection

**Explanation**

The long\_dns\_connection NDM flags sustained interactive connections leaving the customer's network to destinations on TCP port 53, which is used by DNS. Most DNS connections are short lived, so a long connection is anomalous and may be an indicator of DNS tunneling.

**What to Look For**

Check external destination hosts to verify that they are valid DNS servers. Check internal hosts to confirm that they are not compromised or infected with malware.

**Related MITRE ATT\&CK Categories**

[Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572)