Multiple requests to long hostnames indicating DNS tunneling
Description
AlphaSOC detected multiple queries for fully qualified domain names (FQDNs) containing unusually long, seemingly random hostnames under a specific domain. This may indicate DNS tunneling activity. DNS tunneling is a technique used by attackers to bypass network security controls by encapsulating non-DNS traffic within DNS queries and responses. Common destinations, client configuration requests, restricted TLDs, CDNs, or storage infrastructure destinations are excluded from the detection to avoid false positives.
Impact
DNS tunneling can have serious security implications, allowing attackers to bypass traditional network security measures. It can be used for data exfiltration, potentially leading to loss of sensitive information. Additionally, it provides a covert channel for malware to communicate with command and control servers (C2), facilitating further compromise and lateral movement within the network through seemingly harmless DNS requests.
Severity
Severity | Condition |
---|---|
High | Multiple DNS requests indicating DNS tunneling |
Investigation and Remediation
Investigate the source of the long hostname requests, identifying the involved systems and users. Analyze DNS logs for patterns of abnormal query volumes or sizes. Examine the content of suspicious DNS queries for encoded data. If DNS tunneling is confirmed, isolate affected systems, terminate the malicious processes, and conduct a thorough malware scan.
Known False Positives
- Legitimate applications using DNS for service discovery or content delivery networks (CDNs)