hunting-for-dns-tunneling-with-zeek

# Hunting for DNS Tunneling with Zeek ## When to Use - When hunting for data exfiltration over DNS covert channels - After threat intelligence indicates DNS-based C2 frameworks targeting your industry - When dns.log shows unusually high query volumes to specific domains - During investigation of suspected data theft where no HTTP/S exfiltration is found - When monitoring for tools like iodine, dnscat2, DNSExfiltrator, or DNS-over-HTTPS tunneling ## Prerequisites - Zeek deployed on network tap or SPAN port capturing DNS traffic - Zeek dns.log with full query and response fields - SIEM platform for dns.log analysis (Splunk, Elastic) - RITA (Real Intelligence Threat Analytics) for automated DNS analysis - Passive DNS data for historical domain resolution context ## Workflow 1. **Analyze Query Length Distribution**: DNS tunneling encodes data in subdomain labels, producing queries significantly longer than normal. Normal DNS queries average 20-30 characters; tunneling queries often exceed 50+ characters. Calculate mean and standard deviation of query lengths per domain. 2. **Calculate Subdomain Entropy**: Tunneling encodes data using Base32/Base64, producing high-entropy subdomain strings. Calculate Shannon entropy of subdomain labels -- values above 3.5 bits/character strongly suggest encoded data. 3. **Count Unique Subdomains Per Domain**: Legitimate domains have relatively few unique subdomains. DNS tunneling generates hundreds or thousands of unique subdomains under a s...