Detect DNS in Splunk
Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.002 DNS
- Canonical reference
- https://attack.mitre.org/techniques/T1590/002/
SPL Detection Query
| multisearch
[
search index=dns sourcetype="stream:dns" (query_type="AXFR" OR query_type="IXFR" OR query_type="255")
NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.16.*" OR src_ip="172.17.*" OR src_ip="172.18.*" OR src_ip="172.19.*" OR src_ip="172.20.*" OR src_ip="172.21.*" OR src_ip="172.22.*" OR src_ip="172.23.*" OR src_ip="172.24.*" OR src_ip="172.25.*" OR src_ip="172.26.*" OR src_ip="172.27.*" OR src_ip="172.28.*" OR src_ip="172.29.*" OR src_ip="172.30.*" OR src_ip="172.31.*" OR src_ip="127.*")
| eval AlertType="External Zone Transfer Attempt", RiskScore=90
| eval src=src_ip, dest=dest_ip, query_name=query, qtype=query_type
]
[
search index=dns sourcetype="stream:dns" (query_type="NS" OR query_type="MX" OR query_type="TXT" OR query_type="SOA" OR query_type="255" OR query_type="ANY")
NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.*" OR src_ip="127.*")
| eval AlertType="Bulk External DNS Enumeration", RiskScore=70
| eval src=src_ip, dest=dest_ip, query_name=query, qtype=query_type
| bucket _time span=10m
| stats count as QueryCount, dc(query) as UniqueNames, values(query_type) as QueryTypes by src, dest, _time, AlertType, RiskScore
| where QueryCount > 30 OR UniqueNames > 20
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\dnsrecon*" OR Image="*\\dnsx*" OR Image="*\\subfinder*" OR Image="*\\amass*"
OR Image="*\\fierce*" OR Image="*\\dnsmap*" OR Image="*\\dnsenum*" OR Image="*\\gobuster*"
OR Image="*\\altdns*" OR Image="*\\knockpy*"
OR ((Image="*\\python*" OR Image="*\\python3*") AND (CommandLine="*dnsrecon*" OR CommandLine="*dnsenum*" OR CommandLine="*fierce*" OR CommandLine="*sublist3r*" OR CommandLine="*dnstwist*"))
OR (Image="*\\nslookup.exe" AND (CommandLine="*-type=axfr*" OR CommandLine="*-q=axfr*" OR CommandLine="*-querytype=axfr*" OR CommandLine="*-type=any*" OR CommandLine="*ls -d*" OR CommandLine="*ls -t*"))
OR (Image="*\\dig*" AND (CommandLine="*axfr*" OR CommandLine="*AXFR*" OR CommandLine="* any *" OR CommandLine="*_dmarc*" OR CommandLine="* MX *" OR CommandLine="* NS *")))
| eval AlertType="DNS Enumeration Tool on Endpoint", RiskScore=60
| eval src=host, query_name=CommandLine
]
| eval log_source=coalesce(sourcetype, "unknown")
| table _time, AlertType, RiskScore, src, dest, query_name, qtype, QueryCount, UniqueNames, host, User, Image, CommandLine, ParentImage
| sort - RiskScore, - _timeThree-branch multisearch detection for DNS reconnaissance. Branch 1 uses stream:dns to detect zone transfer (AXFR/IXFR) requests from external IP addresses. Branch 2 identifies high-frequency bulk DNS queries (NS/MX/TXT/SOA/ANY) from a single external source within 10-minute windows exceeding 30 total queries or 20 unique names. Branch 3 uses Sysmon Event ID 1 to detect DNS OSINT tool execution on managed endpoints, covering Python-based scripts, direct tool binaries, and nslookup/dig invocations with zone-transfer or bulk-enumeration flags. Results are unified and sorted by risk score.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized DNS zone transfers between primary and secondary name servers — secondary NS IP addresses should be allowlisted
- Authorized penetration tests or vulnerability scans using dnsrecon, subfinder, or amass against owned domains
- Monitoring and asset discovery platforms (Qualys, Rapid7, Tenable) performing DNS resolution as part of scheduled scans
- Developers troubleshooting email delivery issues using dig or nslookup to verify MX, SPF, DKIM, and DMARC records
Other platforms for T1590.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Zone Transfer Attempt via nslookup
Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).
- Test 2DNS Zone Transfer via dig
Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.
- Test 3DNS Subdomain Enumeration with dnsrecon
Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.
- Test 4DNS MX and TXT Record Harvesting via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.
- Test 5Subfinder Passive DNS Enumeration
Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.
References (12)
- https://attack.mitre.org/techniques/T1590/002/
- https://www.cisa.gov/news-events/alerts/2015/04/13/dns-zone-transfer-axfr-requests-may-leak-domain-information
- https://dnsdumpster.com/
- https://www.circl.lu/services/passive-dns/
- https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/
- https://github.com/darkoperator/dnsrecon
- https://github.com/projectdiscovery/subfinder
- https://github.com/OWASP/Amass
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/dns
- https://learn.microsoft.com/en-us/azure/sentinel/dns-domain-generation-algorithm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.002/T1590.002.md
- https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
Unlock Pro Content
Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.