Detect DNS in Microsoft Sentinel
Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.002 DNS
- Canonical reference
- https://attack.mitre.org/techniques/T1590/002/
KQL Detection Query
let DNSOSINTTools = dynamic([
"dnsrecon", "dnsrecon.py", "dnsx", "subfinder", "amass", "fierce",
"fierce.py", "dnsmap", "dnsenum", "dnsenum.pl", "sublist3r",
"gobuster", "dnstwist", "dnswalk", "masscan", "shuffledns",
"puredns", "altdns", "knockpy"
]);
let PrivateRanges = dynamic(["10.", "192.168.", "172.16.", "172.17.", "172.18.", "172.19.",
"172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.",
"172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.",
"127.", "169.254."]);
// Branch 1: DNS Zone Transfer Attempts (AXFR/IXFR) against internal DNS servers
let ZoneTransferAlerts = DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType in ("AXFR", "IXFR") or QueryType == "255"
| where not(ClientIP has_any (PrivateRanges))
| extend AlertType = "External DNS Zone Transfer Attempt"
| extend RiskScore = 90
| project TimeGenerated, Computer, ClientIP, Name, QueryType, ResultCode,
AlertType, RiskScore;
// Branch 2: Bulk ANY/NS/MX/TXT record enumeration from single external IP
let BulkEnumAlerts = DnsEvents
| where TimeGenerated > ago(1h)
| where QueryType in ("NS", "MX", "TXT", "SOA", "255", "AXFR")
| where not(ClientIP has_any (PrivateRanges))
| summarize QueryCount = count(), UniqueNames = dcount(Name),
QueryTypes = make_set(QueryType), Earliest = min(TimeGenerated),
Latest = max(TimeGenerated)
by ClientIP, Computer, bin(TimeGenerated, 10m)
| where QueryCount > 30 or UniqueNames > 20
| extend AlertType = "Bulk External DNS Enumeration"
| extend RiskScore = 70
| project TimeGenerated = Earliest, Computer, ClientIP, QueryCount, UniqueNames,
QueryTypes, AlertType, RiskScore;
// Branch 3: OSINT reconnaissance tools executed on managed endpoints
let OSINTToolAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DNSOSINTTools)
or (FileName in~ ("python.exe", "python3", "python3.exe", "python")
and ProcessCommandLine has_any ("dnsrecon", "dnsenum", "fierce", "sublist3r", "dnstwist"))
or (FileName in~ ("nslookup.exe", "nslookup") and ProcessCommandLine has_any ("ls -d", "ls -t", "-type=axfr", "-querytype=axfr", "-q=axfr", "-type=any", "-type=ns", "-type=mx", "-type=txt"))
or (FileName =~ "dig" and ProcessCommandLine has_any ("axfr", "AXFR", "+short", "ANY", "TXT", "MX", "NS", "DKIM", "_dmarc"))
| extend AlertType = "DNS Enumeration Tool Execution on Endpoint"
| extend RiskScore = 60
| project TimeGenerated = Timestamp, DeviceName, AccountName, FileName,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, AlertType, RiskScore;
// Union all branches
union ZoneTransferAlerts, BulkEnumAlerts, OSINTToolAlerts
| sort by TimeGenerated descThree-branch detection covering DNS reconnaissance across different observable surfaces. Branch 1 targets AXFR/IXFR zone transfer requests from external IPs against internal DNS servers using the DnsEvents table (populated by Windows DNS Server via Azure Monitor Agent). Branch 2 identifies bulk DNS enumeration from single external IPs querying NS/MX/TXT/SOA/ANY records at high frequency. Branch 3 catches OSINT tool execution (dnsrecon, subfinder, amass, fierce, dnsx, dnsenum) on managed endpoints via DeviceProcessEvents, including Python invocations of DNS recon scripts and nslookup/dig with zone transfer flags.
Data Sources
Required Tables
False Positives & Tuning
- Authorized DNS zone transfers between primary and secondary name servers — legitimate AXFR from secondary NS IP addresses configured for zone replication
- Internal IT and security teams running DNS enumeration tools during authorized penetration tests, asset discovery, or DNS hygiene audits
- Monitoring and asset management platforms (Qualys, Tenable, Rapid7) that perform DNS enumeration as part of scheduled scans against owned infrastructure
- Developers and DevOps engineers using dig or nslookup with ANY/MX/TXT flags to troubleshoot mail delivery, SPF validation, or SSL certificate issues
Other platforms for T1590.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Zone Transfer Attempt via nslookup
Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).
- Test 2DNS Zone Transfer via dig
Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.
- Test 3DNS Subdomain Enumeration with dnsrecon
Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.
- Test 4DNS MX and TXT Record Harvesting via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.
- Test 5Subfinder Passive DNS Enumeration
Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.
References (12)
- https://attack.mitre.org/techniques/T1590/002/
- https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
- https://dnsdumpster.com/
- https://www.circl.lu/services/passive-dns/
- https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
- https://github.com/darkoperator/dnsrecon
- https://github.com/projectdiscovery/subfinder
- https://github.com/OWASP/Amass
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/dns
- https://learn.microsoft.com/en-us/azure/sentinel/dns-domain-generation-algorithm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.002/T1590.002.md
- https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
Unlock Pro Content
Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.