Skip to main content
Splunk Lantern

Requests to a large number of subdomains

You might want to monitor how many subdomains are requested per domain when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You want to monitor how many subdomains are requested per domain to identify signs of data exfiltration or Domain Generation Algorithm domains.

To optimize the search shown below, you should specify an index and a time range. 

Run the following search: 
tag=dns message_type="Query" 
| eval list="mozilla"
| `ut_parse_extended(query, list)`
| stats dc(ut_subdomain) AS HostsPerDomain BY ut_domain
| sort -HostsPerDomain

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=dns 

Search for fields with the "web" tag.

message_type="Query" 

Search for queries.

| eval list="mozilla"

Search the Mozilla catalog for top level domains.

This eval function is required for the next line in the search (ut_parse_extended) to work.

| `ut_parse_extended(query, list)`

Parse the queries based on the Mozilla top level domain list.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

| stats dc(ut_subdomain) as HostsPerDomain by ut_domain

Return the results in a table—grouped by the ut_domain field—that includes a count of the number of distinct subdomains for each domain seen.

| sort -HostsPerDomain

Sort the results with the domain with the highest number of subdomains appearing first.

Result

The search results include all domains. Since you probably aren't concerned about queries to subdomains of microsoft.com or other known good sites, you can use lookups to remove noise. 

  • Was this article helpful?