Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-DNSTunnel-Exfil.

Upgrade to Pro
THREAT-DNSTunnel-Exfil Splunk · SPL

Detect DNS Tunneling for Covert Data Exfiltration in Splunk

DNS tunneling encodes stolen data inside the query names (and occasionally TXT/NULL record responses) of DNS lookups, exploiting the fact that DNS is almost universally permitted outbound even in tightly filtered network environments. OilRig/APT34 has repeatedly built DNS-based communication into its custom malware families, using DNS resolution as both a C2 and exfiltration channel to survive proxy and firewall egress controls. FIN7 has used DNS tunneling against point-of-sale and retail environments where HTTP(S) egress was more tightly monitored than DNS. APT41 has deployed publicly available DNS tunneling frameworks such as dnscat2 during intrusions where direct HTTP(S) exfiltration was blocked. Commodity tooling in this space — iodine, dnscat2, DNSExfiltrator, and PacketWhisper — all share the same observable signature: large volumes of DNS queries for subdomains of an attacker-controlled domain, where the subdomain label itself is a base32/base64/hex-encoded chunk of stolen data, together with an abnormal skew toward TXT/NULL/CNAME query types and elevated NXDOMAIN rates (since many tunneling implementations use non-existent subdomains purely as a data-carrying vehicle). This detection deliberately focuses on DNS query-log analytics rather than endpoint process telemetry, since it catches tunneling traffic that a purely process-based detection would miss (e.g., DNS tunneling from a compromised network appliance, or malware that resolves names via direct socket calls rather than a monitored DNS client process) and is a good complement to the process-execution-based detections already covered on the parent T1048.003 page.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=network sourcetype="zeek:dns" OR sourcetype="bro:dns"
| eval label_len=len(mvindex(split(query, "."), 0))
| eval registered_domain=mvjoin(mvindex(split(query, "."), -2, -1), ".")
| bucket _time span=5m
| stats count AS QueryCount, dc(query) AS UniqueSubdomains, avg(label_len) AS AvgLabelLength,
    max(label_len) AS MaxLabelLength,
    count(eval(qtype_name IN ("TXT","NULL","CNAME"))) AS TxtNullCnameCount,
    count(eval(rcode_name="NXDOMAIN")) AS NxDomainCount,
    values(id.orig_h) AS SourceIPs
  BY registered_domain, _time
| where UniqueSubdomains >= 50 AND AvgLabelLength >= 30
| eval TunnelScore = (UniqueSubdomains/10) + (AvgLabelLength/5) + (TxtNullCnameCount*2) + NxDomainCount
| sort - TunnelScore
high severity medium confidence

SPL detection against Zeek/Bro dns.log (query, qtype_name, rcode_name, id.orig_h, id.resp_h fields) implementing the same DNS-tunneling fingerprint as the KQL query: high subdomain cardinality with long labels under a single parent domain, elevated TXT/NULL/CNAME query share, and elevated NXDOMAIN rate within 5-minute buckets. Where Zeek is not deployed, substitute Windows DNS Server analytical log fields (QueryName, QueryType, QueryStatus) via a suitable field-mapping macro.

Data Sources

Zeek/Bro DNS log (dns.log)Network sensor DNS telemetry

Required Sourcetypes

zeek:dnsbro:dns

False Positives & Tuning

  • CDN and cloud service high-cardinality subdomain lookups — allowlist known legitimate parent domains
  • Bulk SPF/DKIM/DMARC TXT lookups by mail security gateways

Other platforms for THREAT-DNSTunnel-Exfil


Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DNS Tunneling Data Exfiltration via iodine

    Expected signal: DNS query logs showing a burst of long, base32-encoded subdomain queries against tunnel.testdomain.example with a high proportion of NULL/TXT query types.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-DNSTunnel-Exfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections