Spikes in volume of DNS queries
You might need to review the volume of DNS queries on your network when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.
Category | Name | Importance |
---|---|---|
Data |
Network resolution data |
Required |
App |
Recommended |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
You want to monitor your network for spikes in DNS queries, which can be an early sign of data exfiltration.
- Run the following search:
eventtype="stream_dns" message_type="Query" | timechart span=1h limit=10 usenull=f useother=f count AS Requests by src
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
eventtype="stream_dns" |
Search Stream DNS events. |
message_type="Query" |
Search for queries. |
| timechart span=1h limit=10 usenull=f useother=f count AS Requests by src |
Display a maximum of 10 results in a table that shows the number of queries for each source in one hour increments. Exclude events that do not contain the split-by field, in this case, src. Do not merge all series excluded by the limit into a single new series. |
Result
Examine the results for clients that have a large number of events compared to other clients in the organization. This is a potential indicator of data transfers using DNS. Investigate any unusual findings, or use the results to build a baseline or set thresholds for alerts.