Skip to main content

Multiple requests to long hostnames indicating DNS tunneling

ID:multiple_long_hostnames
Data type:DNS, HTTP
Severity:
High
MITRE ATT&CK:TA0010:T1048

Description

AlphaSOC detected multiple queries for fully qualified domain names (FQDNs) containing unusually long, seemingly random hostnames under a specific domain. This may indicate DNS tunneling activity. DNS tunneling is a technique used by attackers to bypass network security controls by encapsulating non-DNS traffic within DNS queries and responses. Common destinations, client configuration requests, restricted TLDs, CDNs, or storage infrastructure destinations are excluded from the detection to avoid false positives.

Impact

DNS tunneling can have serious security implications, allowing attackers to bypass traditional network security measures. It can be used for data exfiltration, potentially leading to loss of sensitive information. Additionally, it provides a covert channel for malware to communicate with command and control servers (C2), facilitating further compromise and lateral movement within the network through seemingly harmless DNS requests.

Severity

SeverityCondition
High
Multiple DNS requests indicating DNS tunneling

Investigation and Remediation

Investigate the source of the long hostname requests, identifying the involved systems and users. Analyze DNS logs for patterns of abnormal query volumes or sizes. Examine the content of suspicious DNS queries for encoded data. If DNS tunneling is confirmed, isolate affected systems, terminate the malicious processes, and conduct a thorough malware scan.

Known False Positives

  • Legitimate applications using DNS for service discovery or content delivery networks (CDNs)