DNS tunneling detection is one of the most challenging aspects of daily security operations. Attackers abuse the DNS protocol to exfiltrate data or establish C2 channels. Since firewalls typically allow DNS traffic, this method evades most security solutions. Wazuh can catch these attacks through log analysis and anomaly detection.
🔍 How DNS Tunneling Works
aGVsbG8gd29ybGQ.attacker-domain.com
dGhpcyBpcyBzZW5zaXRpdmUgZGF0YQ.attacker-domain.com⚠️ Detection Indicators
- High volume of DNS queries to a single domain (e.g., 100+ per minute)
- Abnormally long subdomain names (50+ characters)
- Subdomains that look Base64 or hex encoded
- High volume of TXT record queries with low TTL values
🔧 Wazuh Configuration
<localfile>
<log_format>syslog</log_format>
<location>/var/log/named/queries.log</location>
</localfile>📝 Custom Rule Example
<rule id="100010" level="12">
<if_group>syslog</if_group>
<regex>query: [A-Za-z0-9+/=]{50,}\.[a-z]+\.[a-z]+</regex>
<description>Possible DNS tunneling: unusually long subdomain detected</description>
<mitre>
<id>T1071.004</id>
</mitre>
</rule>📊 Monitoring in the Dashboard
In the Wazuh Dashboard under Threat Hunting, use the query rule.mitre.id: T1071.004 to filter DNS tunneling-specific alerts. If you’re running Suricata alongside Wazuh, check our Wazuh + Suricata Integration post for network-layer confirmation.
📚 Related Posts
- 👉 Writing Custom Wazuh Rules
- 👉 Wazuh + Suricata Integration
- 👉 Kubernetes Security Monitoring
- 👉 Wazuh Active Response
💬 Suspecting DNS tunneling in your environment? Drop your questions in the comments below. You can also contact us via the Contact page.
Leave a Reply