Skip to main content

Increases in DNS packet size and volume

  • Updated

You might want to review the size and number of DNS packets being transmitted over your network when doing the following:

Prerequisites 

In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.

Category

Name

Importance

Data

Network resolution data

Required

App

Splunk Stream

Recommended

 

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

You want to monitor your network for large DNS packets or an unusually high volume of DNS packets, both of which can be an early sign of data exfiltration.

  1. Run the following search: 
eventtype="stream_dns" message_type="Query" 
| mvexpand query
| eval queryLength=len(query)
| stats count by queryLength, src
| sort -queryLength, count
| table src queryLength count
| head 1000

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

eventtype="stream_dns" 

Search Stream DNS events.

message_type="Query" 

Search for queries.

| mvexpand query

Create a new event for each value found in the query field.

| eval queryLength=len(query)

Calculate the length of the string in the query field.

| stats count by queryLength, src

Count the number of times each query length and source combination occurred.

| sort -queryLength, count

Sort results with the largest requests first.

| table src queryLength count

Display the results in a table with columns in the order shown.

| head 1000

Show only the first 1,000 records.

 

Result

Using the scatter chart visualization might help you see the outliers better. A high number of requests or large packets can indicate a security risk. For example, many common domains (www.google.com and www.bbc.co.uk) have a small query string length and will have a small query count. If, however, the malicious software opens a sensitive document that’s 5 Mb in size, chops it into 255-byte packets, and sends via DNS requests, then you're likely to see many 255-byte packets.

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.