Skip to main content
Splunk Lantern

Increases in DNS packet size and volume

You might want to review the size and number of DNS packets being transmitted over your network when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

  • Splunk Enterprise or Splunk Cloud Platform
  • DNS data

Example

You want to monitor your network for large DNS packets or an unusually high volume of DNS packets, both of which can be an early sign of data exfiltration.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Stream DNS data. You can replace this source with any other DNS data used in your organization.

  1. Run the following search: 
eventtype="stream_dns" message_type="Query" 
| mvexpand query
| eval queryLength=len(query)
| stats count BY queryLength, src
| sort -queryLength, count
| table src queryLength count
| head 1000

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

eventtype="stream_dns" 

Search only Stream DNS events.

message_type="Query" 

Search for queries.

| mvexpand query

Create a new event for each value found in the query field.

| eval queryLength=len(query)

Calculate the length of the string in the query field.

| stats count BY queryLength, src

Count the number of times each query length and source combination occurred.

| sort -queryLength, count

Sort results with the largest requests first.

| table src queryLength count

Display the results in a table with columns in the order shown.

| head 1000

Show only the first 1,000 records.

Result

Using the scatter chart visualization might help you see the outliers better. A high number of requests or large packets can indicate a security risk. For example, many common domains (www.google.com and www.bbc.co.uk) have a small query string length and will have a small query count. If, however, the malicious software opens a sensitive document that’s 5 Mb in size, chops it into 255-byte packets, and sends via DNS requests, then you're likely to see many 255-byte packets.

  • Was this article helpful?