T1071.004 DNS Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let DomainLengthThreshold = 50;
let SubdomainEntropyThreshold = 3.5;
// Detect DNS tunneling via high-entropy, long subdomain queries
DnsEvents
| where TimeGenerated > ago(TimeWindow)
| where QueryType in ("TXT", "NULL", "CNAME", "MX", "A", "AAAA")
| extend DomainLength = strlen(Name)
| extend SubdomainParts = countof(Name, ".")
| extend TopDomain = tostring(split(Name, ".")[-2]) 
| where DomainLength > DomainLengthThreshold or SubdomainParts > 5
| summarize
    QueryCount = count(),
    UniqueSubdomains = dcount(Name),
    AvgDomainLength = avg(DomainLength),
    MaxDomainLength = max(DomainLength),
    QueryTypes = make_set(QueryType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by ClientIP, TopDomain
| where QueryCount > 20 and UniqueSubdomains > 10
| where AvgDomainLength > 40
| extend TunnelConfidence = case(
    UniqueSubdomains > 100 and AvgDomainLength > 60, "high",
    UniqueSubdomains > 50 and AvgDomainLength > 50, "high",
    "medium")
| project LastSeen, ClientIP, TopDomain, QueryCount, UniqueSubdomains, AvgDomainLength, MaxDomainLength, QueryTypes, TunnelConfidence
| sort by QueryCount desc

critical severity high confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow DNS Logs

Required Tables

DnsEvents

False Positives

Content Delivery Networks (CDNs) and anti-DDoS services that use long subdomain strings for routing (e.g., Akamai, Cloudflare)
Email security services (DKIM, SPF, DMARC) that generate long TXT record queries
Certificate validation services performing OCSP and CRL checks with encoded certificate data
Antivirus and threat intelligence services that encode file hashes in DNS queries for reputation lookups

Splunk

spl

index=dns sourcetype IN ("stream:dns", "microsoft:windows:dns", "infoblox:dns", "pi-hole")
  (query_type IN ("TXT", "NULL", "CNAME", "MX", "A", "AAAA"))
| eval DomainLength=len(query)
| eval SubdomainParts=mvcount(split(query, "."))
| eval TopDomain=mvindex(split(query, "."), -2)
| where DomainLength > 50 OR SubdomainParts > 5
| stats count as QueryCount, dc(query) as UniqueSubdomains, avg(DomainLength) as AvgDomainLength, max(DomainLength) as MaxDomainLength, values(query_type) as QueryTypes, earliest(_time) as FirstSeen, latest(_time) as LastSeen by src_ip, TopDomain
| where QueryCount > 20 AND UniqueSubdomains > 10 AND AvgDomainLength > 40
| eval TunnelConfidence=case(
    UniqueSubdomains > 100 AND AvgDomainLength > 60, "high",
    UniqueSubdomains > 50 AND AvgDomainLength > 50, "high",
    1=1, "medium")
| eval BytesEstimate=round(UniqueSubdomains * (AvgDomainLength - len(TopDomain) - 1))
| table FirstSeen, LastSeen, src_ip, TopDomain, QueryCount, UniqueSubdomains, AvgDomainLength, MaxDomainLength, QueryTypes, TunnelConfidence, BytesEstimate
| sort - QueryCount

critical severity high confidence

Data Sources

Network Traffic: Network Traffic Content DNS Logs Sysmon Event ID 22

Required Sourcetypes

stream:dns microsoft:windows:dns infoblox:dns

False Positives

Content Delivery Networks (CDNs) and anti-DDoS services that use long subdomain strings for routing (e.g., Akamai, Cloudflare)
Email security services (DKIM, SPF, DMARC) that generate long TXT record queries
Certificate validation services performing OCSP and CRL checks with encoded certificate data
Antivirus and threat intelligence services that encode file hashes in DNS queries for reputation lookups

Elastic Security (EQL)

eql

FROM logs-network_traffic.dns-*, logs-zeek.dns-*, logs-dns-*
| WHERE event.category == "network" AND network.protocol == "dns"
| WHERE dns.question.type IN ("TXT", "NULL", "CNAME", "MX", "A", "AAAA")
| EVAL domain_length = LENGTH(dns.question.name)
| EVAL subdomain_parts = MV_COUNT(SPLIT(dns.question.name, "."))
| WHERE domain_length > 50 OR subdomain_parts > 5
| STATS
    query_count = COUNT(*),
    unique_subdomains = COUNT_DISTINCT(dns.question.name),
    avg_domain_length = AVG(domain_length),
    max_domain_length = MAX(domain_length),
    query_types = VALUES(dns.question.type),
    first_seen = MIN(@timestamp),
    last_seen = MAX(@timestamp)
    BY source.ip
| WHERE query_count > 20 AND unique_subdomains > 10 AND avg_domain_length > 40
| EVAL tunnel_confidence = CASE(
    unique_subdomains > 100 AND avg_domain_length > 60, "high",
    unique_subdomains > 50 AND avg_domain_length > 50, "high",
    "medium"
  )
| SORT query_count DESC

high severity medium confidence

Data Sources

Elastic Agent Network Packet Capture (DNS) Zeek DNS logs via Filebeat Packetbeat DNS module Windows DNS Debug Logs via Elastic Agent

Required Tables

logs-network_traffic.dns-* logs-zeek.dns-* logs-dns-*

False Positives

CDN providers such as Akamai, Cloudflare, and Fastly use long base64-encoded subdomains for origin selection and TLS routing — filter on known CDN apex domains (e.g., akamaiedge.net, cloudfront.net) using an allowlist enrichment step
Software update services and antivirus cloud lookups (Windows Update, Symantec LiveUpdate, CrowdStrike) generate high-frequency queries to vendor domains with embedded device or version identifiers encoded in subdomains
Internal Kubernetes or Consul service mesh DNS resolution produces many unique FQDN queries per source IP as pods resolve service names — especially during deployment scaling or rolling restarts

IBM QRadar (AQL)

sql

SELECT
  sourceip AS ClientIP,
  COUNT(*) AS QueryCount,
  COUNT(DISTINCT "DNS Query Name") AS UniqueSubdomains,
  AVG(LONG(STRLEN("DNS Query Name"))) AS AvgDomainLength,
  MAX(LONG(STRLEN("DNS Query Name"))) AS MaxDomainLength,
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) ILIKE '%DNS%'
  AND (
    "DNS Record Type" IN ('TXT', 'NULL', 'CNAME', 'MX', 'A', 'AAAA')
    OR "DNS Record Type" IS NULL
  )
  AND STRLEN("DNS Query Name") > 0
  AND (
    LONG(STRLEN("DNS Query Name")) > 50
    OR (
      LONG(STRLEN("DNS Query Name"))
      - LONG(STRLEN(REPLACE("DNS Query Name", '.', '')))
    ) > 5
  )
  AND starttime > (NOW() - 86400000)
GROUP BY sourceip
HAVING COUNT(*) > 20
  AND COUNT(DISTINCT "DNS Query Name") > 10
  AND AVG(LONG(STRLEN("DNS Query Name"))) > 40
ORDER BY QueryCount DESC

high severity medium confidence

Data Sources

Infoblox NIOS syslog (QRadar DSM) ISC BIND query logs Microsoft Windows DNS Server debug logs Cisco Umbrella logs Pi-hole FTLDNS logs

Required Tables

events (QRadar SIEM event store with DNS Custom Event Properties configured)

False Positives

Akamai and other CDN networks use long encoded hostnames for geographic load balancing — queries to *.akamaiedge.net or *.cloudfront.net exceed 50 characters and appear in high volume from corporate egress NAT addresses
Security operations platforms performing bulk passive DNS replication or threat intelligence enrichment from internal sensor appliances generate high query volumes with varied subdomains against external resolvers
Enterprise backup solutions and DLP agents using DNS-based license validation or cloud telemetry beaconing may exhibit long-domain query patterns from backup server IP addresses during scheduled jobs

Sumo Logic CSE

sql

_sourceCategory=*dns* OR _sourceCategory=*network/dns*
| where type in ("TXT", "NULL", "CNAME", "MX", "A", "AAAA")
| eval domain_length = length(query_name)
| eval subdomain_count = length(query_name) - length(replace(query_name, ".", ""))
| where domain_length > 50 OR subdomain_count > 5
| parse regex field=query_name "(?:[^.]+[.])*(?<top_domain>[^.]+[.][^.]+)$"
| count as QueryCount, count_distinct(query_name) as UniqueSubdomains, avg(domain_length) as AvgDomainLength, max(domain_length) as MaxDomainLength by src_ip, top_domain
| where QueryCount > 20 AND UniqueSubdomains > 10 AND AvgDomainLength > 40
| eval TunnelConfidence = if(UniqueSubdomains > 100 AND AvgDomainLength > 60, "high", if(UniqueSubdomains > 50 AND AvgDomainLength > 50, "high", "medium"))
| eval BytesEstimate = round(UniqueSubdomains * (AvgDomainLength - length(top_domain) - 1))
| fields src_ip, top_domain, QueryCount, UniqueSubdomains, AvgDomainLength, MaxDomainLength, TunnelConfidence, BytesEstimate
| sort by QueryCount desc

high severity medium confidence

Data Sources

Sumo Logic DNS Installed Collector (syslog or file-based) Pi-hole query log via Sumo Logic collector agent Infoblox NIOS syslogs forwarded to Sumo Logic Windows DNS Server debug log via Installed Collector Zeek dns.log via HTTP Source

Required Tables

_sourceCategory=*dns* _sourceCategory=*network/dns*

False Positives

Cloud storage providers encode bucket names, request IDs, or routing tokens in subdomains — large enterprises querying AWS S3 presigned URL domains or Azure Blob Storage FQDNs will regularly exceed both length and uniqueness thresholds
ACME certificate renewal systems performing DNS-01 challenges create one-time long TXT record queries per domain per renewal cycle, generating bursts from web server or automation pipeline IPs
Network vulnerability scanners and DNS brute-force enumeration tools performing subdomain discovery against internal zones produce high volumes of unique subdomain queries from scanner IPs that match all detection thresholds

Google Chronicle / SecOps

yaral

rule dns_tunneling_long_subdomain_t1071_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DNS tunneling via high-volume long subdomain queries (T1071.004)"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071.004"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.type in (
      "TXT", "NULL", "CNAME", "MX", "A", "AAAA"
    )
    (
      re.regex($e.network.dns.questions.name, `.{50,}`) or
      re.regex($e.network.dns.questions.name, `(?:[^.]+[.]){5,}`)
    )
    $src_ip = $e.principal.ip
    $top_domain = re.capture(
      $e.network.dns.questions.name,
      `[^.]+[.][^.]+$`
    )

  match:
    $src_ip, $top_domain over 24h

  outcome:
    $query_count = count($e.metadata.id)
    $unique_subdomains = count_distinct($e.network.dns.questions.name)
    $max_domain_length = max(length($e.network.dns.questions.name))
    $tunnel_confidence = if(
      $unique_subdomains > 100 and $max_domain_length > 60, "high",
      if($unique_subdomains > 50 and $max_domain_length > 50, "high", "medium")
    )

  condition:
    #e > 20 and $unique_subdomains > 10
}

high severity medium confidence

Data Sources

Google Chronicle UDM (NETWORK_DNS events) DNS forwarder logs ingested via Chronicle Ingestion API Palo Alto Networks DNS Security logs forwarded to Chronicle Cisco Umbrella logs via Chronicle connector Infoblox NIOS via Chronicle connector

Required Tables

UDM events with metadata.event_type = NETWORK_DNS

False Positives

Google and Akamai DNS-based load balancing infrastructure generates long unique subdomain sequences from corporate client IPs — known CDN and cloud provider apex domains should be excluded via a reference list in the rule's events section
Automated certificate management tooling (ACME DNS-01 validation via cert-manager or acme.sh) creates distinct long TXT record queries from CI/CD pipeline or Kubernetes controller IPs during certificate issuance
Enterprise EDR and XDR solutions beaconing to cloud telemetry endpoints using device-specific encoded hostnames produce the long-unique-subdomain signature from endpoint IP addresses at scale

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "DnsRequest"
| DomainName != ""
| RequestType = /TXT|NULL|CNAME|MX|A|AAAA/i
| domain_length := length(DomainName)
| subdomain_parts := count(splitString(DomainName, "."))
| filter { domain_length > 50 or subdomain_parts > 5 }
| regex("(?:[^.]+[.])*(?P<TopDomain>[^.]+[.][^.]+)$", field=DomainName, strict=false)
| groupBy(
    [LocalAddressIP4, ComputerName, TopDomain],
    function=[
      count(as=QueryCount),
      count(field=DomainName, distinct=true, as=UniqueSubdomains),
      avg(field=domain_length, as=AvgDomainLength),
      max(field=domain_length, as=MaxDomainLength),
      collect(field=RequestType, limit=10, as=QueryTypes)
    ]
  )
| filter { QueryCount > 20 and UniqueSubdomains > 10 and AvgDomainLength > 40 }
| TunnelConfidence := if(
    UniqueSubdomains > 100 and AvgDomainLength > 60, "high",
    if(UniqueSubdomains > 50 and AvgDomainLength > 50, "high", "medium")
  )
| sort(field=QueryCount, order=desc, limit=200)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (DnsRequest events) Falcon Data Replicator (FDR) S3 stream into LogScale CrowdStrike LogScale self-hosted or cloud

Required Tables

DnsRequest events (#event_simpleName = DnsRequest)

False Positives

CrowdStrike Falcon's own sensor generates DNS queries to cloud backend endpoints containing encoded device identifiers — filter known CrowdStrike infrastructure FQDNs (e.g., ts01-b.cloudsink.net, lfodown01-b.cloudsink.net) by excluding their apex domains from results
Developer workstations running local Kubernetes clusters (minikube, kind, Docker Desktop) generate high volumes of unique internal DNS queries from service discovery on loopback or bridge interfaces, appearing as long-subdomain bursts
Windows Defender SmartScreen and Windows Update telemetry services periodically resolve long encoded domain names for routing decisions, generating false positives from managed corporate endpoints during business hours

DNS

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections