Skip to main content
 
 
 
Splunk Lantern

Changes in DNS record type queries

 

You want to monitor your network for changes in resource type behavior, which can be an early sign of data exfiltration.

Required data

DNS data

Procedure

This sample search uses Stream DNS data. You can replace this source with any other DNS data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range. 

eventtype="stream_dns" message_type="Query" 
| timechart span=1h count BY record_type

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

eventtype="stream_dns" 

Search only Stream DNS events.

message_type="Query" 

Search for queries.

| timechart span=1h count BY record_type

Display a table that shows the types of DNS records accessed during one hour increments over the time span you set the search for. 

Next steps

Examine the results for changes in types of records being queried. Both A records and TXT records should be observed carefully as these are commonly used in command and control or exfiltration activity. If you have already identified a suspicious IP address, you can add it to the search to see if it is correlated with the changes in record types queried. You can also use the results to build a baseline or set thresholds for alerts.

Finally, you might be interested in other processes associated with the Monitoring a network for DNS exfiltration use case.