dns_lookup_tunneling

Explanation

This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with DNS being used as a tunnel for non-DNS traffic. Attackers often use protocol tunneling to evade network monitoring, circumvent network boundary restrictions, or defeat DLP controls.

In a DNS tunnel, attacker malware running on a compromised host will encode messages or TCP/IP packets into the host and subdomain portion of an otherwise normal DNS resolution request for a domain controlled by the attacker. These requests will be forwarded to the attacker's Domain Name Server, and the DNS replies sent by that server will include encoded responses or TCP/IP packets. In this way the attacker can communicate over DNS.

This NDM detects a scenario where a large number of DNS requests have been observed for different hosts within a single domain within a short period of time. This pattern of activity is indicative of DNS tunneling.

What to Look For

Examine the DNS traffic associated with the alarm. In a DNS tunnel, data is encoded in the subdomain and hosts portions of the query, so they will appear nonsensical and not readable by a human. DNS tunnels also rarely use "A" or "AAAA" query types, so investigators should look for anomalous volumes of MX, CNAME, or TXT queries. Investigate the source of these requests for malware infection or unauthorized software, and check DNS logs for any other hosts making DNS lookup requests for the offending domain.

Related MITRE ATT&CK Categories

Protocol Tunneling, Technique T1572 - Enterprise