Detecting data exfiltration over DNS tunneling

We recently discovered that an attacker was exfiltrating data from our network using DNS tunneling. The data was encoded in subdomain queries to an attacker-controlled domain. Here’s how we detected it and the indicators to look for.

# DNS tunnel detection - look for anomalous query patterns
import dns.resolver
from collections import Counter

def detect_dns_tunnel(pcap_queries):
    suspicious = []
    for query in pcap_queries:
        subdomain = query.split(".")[0]
        # DNS tunnels use long, high-entropy subdomains
        if len(subdomain) > 30:
            entropy = calculate_entropy(subdomain)
            if entropy > 3.5:
                suspicious.append(query)
    return suspicious

Great detection script! We use a similar approach but also look at the volume of DNS queries per domain. Legitimate domains rarely exceed 100 queries/hour from a single host, while DNS tunnels generate thousands.