What You'll Learn
- Identify DNS tunneling indicators in Suricata alert data using EveBox
- Analyze unusually long DNS queries and recognize encoded data in subdomain labels
- Investigate queries to known-malicious domains and newly registered domains
- Detect DNS-based command-and-control (C2) communication patterns
- Build a DNS threat assessment report correlating multiple DNS-based indicators
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-suricata |
| Containers | Suricata, EveBox |
| Estimated Time | 60–70 minutes |
| Difficulty | Intermediate |
| Browser Access | EveBox (Web UI) |
| Pre-Loaded Data | DNS tunneling alerts, malicious domain queries, and C2-over-DNS traffic from Operation Wire Tap |
| Deliverable | A DNS Threat Assessment Report documenting all DNS-based indicators with IOC extraction |
Why DNS Is the Attacker's Favorite Protocol. DNS is allowed through almost every firewall. It is rarely inspected deeply. It can carry arbitrary data encoded in query names. Attackers exploit these properties for tunneling (exfiltrating data), C2 communications (receiving commands), and initial callbacks (confirming compromise). If you are not monitoring DNS, you are blind to an entire attack channel.
The Scenario
The SOC received an intelligence alert: "Threat actors associated with Operation Wire Tap are known to use DNS-based exfiltration and C2 channels. Their infrastructure includes recently registered domains with randomized subdomain patterns. DNS query lengths frequently exceed 60 characters."
Your task is to investigate all DNS-related alerts in the pre-loaded Suricata data, identify indicators of DNS abuse, and build a comprehensive threat assessment.
Part 1: DNS Alert Discovery
Filtering for DNS Traffic
In EveBox, use the search/filter bar to isolate DNS-related alerts. Try these filter approaches:
By protocol: Filter for alerts where the application protocol is DNS. Look for the protocol or event type fields in the alert details.
By signature keyword: Search for signatures containing "DNS" in the alert list. Note how many distinct DNS signatures are present.
By port: Filter for alerts involving port 53 (standard DNS). Be aware that some DNS tunneling may use non-standard ports.
Initial DNS Survey
Record the following baseline data:
DNS ALERT BASELINE
══════════════════
Total DNS-related alert groups: [count]
Unique DNS signatures: [count]
Source IPs generating DNS alerts: [list]
Destination IPs (DNS servers queried): [list]
Time range of DNS activity: [first] to [last]
Part 2: Indicator 1 — Unusually Long DNS Queries
What Makes a DNS Query "Long"?
Normal DNS queries are short:
google.com= 10 charactersmail.example.org= 16 characterssubdomain.company.internal= 26 characters
DNS tunneling encodes data in subdomain labels, producing queries like:
aGVsbG8gd29ybGQ.dG9wIHNlY3JldA.tunnel.evil.com= 48 characters4f70657261746f6e20576972652054617.hex.c2server.net= 52 characters
Any DNS query consistently exceeding 50–60 characters warrants investigation.
Investigation Steps
- Find alerts with signatures related to long DNS queries or DNS tunneling
- Click into individual alerts and examine the DNS query field
- For each suspicious query, record:
LONG DNS QUERY ANALYSIS
═══════════════════════
Alert Signature: [name]
Query: [full DNS query string]
Query Length: [characters]
Subdomain Pattern: [random/hex/base64/readable]
Base Domain: [the root domain being queried]
Source IP: [internal host making the query]
Frequency: [how many similar queries from this host]
Assessment: [tunneling / legitimate / uncertain]
Base64 vs. Hex Encoding. Attackers commonly encode tunneled data as base64 (characters a-z, A-Z, 0-9, +, /) or hex (characters 0-9, a-f). Learn to recognize these patterns visually. Base64 subdomain labels have mixed case and occasional plus/slash characters. Hex labels are all lowercase with only 0-9 and a-f.
Part 3: Indicator 2 — Queries to Suspicious Domains
Domain Reputation Indicators
Not all malicious DNS activity involves tunneling. Some indicators to look for:
| Indicator | Why It Is Suspicious |
|---|---|
| Newly registered domain | Legitimate services use established domains; attackers register fresh ones |
| Random-looking domain name | e.g., xk7m2p.com vs. microsoft.com |
| Unusual TLD | .xyz, .top, .buzz, .onion are common in malicious infrastructure |
| Dynamic DNS provider | *.duckdns.org, *.no-ip.com — free, anonymous, commonly abused |
| Known malware C2 domain | Match against threat intelligence feeds |
Investigation Steps
- In EveBox, identify alerts flagged as policy violations or known-bad domain queries
- Extract the domain names from the DNS query fields
- For each suspicious domain:
SUSPICIOUS DOMAIN ANALYSIS
══════════════════════════
Domain: [full domain]
TLD: [top-level domain]
Alert Signature: [what rule flagged it]
Queried By: [source IP]
Query Count: [how many times queried]
Pattern: [DGA / random / known-bad / policy violation]
Risk Level: [high / medium / low]
Part 4: Indicator 3 — DNS-Based C2 Patterns
How DNS C2 Works
In a DNS C2 channel:
- Compromised host encodes commands/data into DNS queries (subdomains)
- Attacker's DNS server receives the query and decodes the data
- Attacker responds with encoded commands in DNS TXT, CNAME, or A records
- Compromised host decodes the DNS response to get new commands
Behavioral Indicators of DNS C2
| Indicator | Detection Method |
|---|---|
| Periodic queries | Same domain queried at regular intervals (every 30s, 60s, etc.) |
| High query volume | Hundreds of queries to the same domain in a short period |
| TXT record requests | TXT records can carry large payloads — unusual for normal browsing |
| Consistent query length | Tunneled commands produce similarly-sized queries each time |
| No corresponding web traffic | Domain is queried via DNS but never accessed via HTTP/HTTPS |
Investigation Steps
- Find alerts related to DNS C2, beaconing, or trojan activity
- Examine the timing pattern — are queries evenly spaced?
- Check if TXT record queries are present
- Determine if the queried domain has any legitimate purpose
DNS C2 PATTERN ANALYSIS
═══════════════════════
Suspect Domain: [domain]
Query Interval: [seconds between queries]
Record Type Requested: [A / TXT / CNAME / MX]
Total Queries in Session: [count]
Average Query Length: [characters]
Encoding Pattern: [base64 / hex / custom]
Associated Source IP: [internal host]
Verdict: [confirmed C2 / likely C2 / benign]
Part 5: Correlating DNS Indicators with the Attack Chain
Building the DNS Threat Timeline
Now connect your DNS findings to the broader Operation Wire Tap attack:
- Pre-attack phase: Were there DNS queries for reconnaissance (e.g., querying target infrastructure)?
- Exploitation phase: Did the compromised host start making unusual DNS queries after the web shell was deployed?
- C2 phase: Can you identify the transition from normal to tunneling behavior?
- Exfiltration phase: Do any DNS queries appear to carry encoded data outbound?
Cross-Reference with Non-DNS Alerts
Compare your DNS timeline with the non-DNS alerts you triaged in Lab 3.1:
- Do the DNS C2 queries start AFTER the SQL injection and web shell alerts?
- Is the host making DNS tunnel queries the same host that was exploited?
- Does the DNS C2 destination domain relate to any IP seen in other alerts?
The DNS Timeline Test. If DNS tunneling queries START only after an exploitation event and come FROM the compromised host, you have strong evidence of post-exploitation C2. This temporal correlation is often the key evidence that elevates "suspicious DNS" from informational to confirmed compromise.
Part 6: Build Your DNS Threat Assessment Report
Compile all findings into a formal report:
DNS THREAT ASSESSMENT REPORT
═════════════════════════════
Classification: [CONFIRMED THREAT / SUSPECTED THREAT / MONITORING]
Date: [today's date]
Analyst: [your name]
EXECUTIVE SUMMARY
─────────────────
[2-3 sentences describing the DNS-based threat activity observed]
DNS INDICATORS OF COMPROMISE
─────────────────────────────
1. Tunneling Domains: [list domains with encoded subdomain patterns]
2. C2 Domains: [list domains with beaconing behavior]
3. Suspicious TLDs: [list unusual TLDs observed]
4. Long Query Hosts: [internal IPs making anomalous DNS queries]
TIMELINE
────────
[Chronological list of DNS events correlated with attack phases]
RECOMMENDED ACTIONS
───────────────────
1. [Block identified C2 domains at DNS resolver]
2. [Isolate compromised hosts making tunnel queries]
3. [Add domains to threat intelligence blocklist]
4. [Implement DNS query length monitoring threshold]
Deliverable Checklist
Before completing the lab, ensure you have:
- DNS alert baseline — total groups, unique signatures, source IPs, time range
- Long query analysis — at least 3 suspicious queries with length, encoding pattern, and assessment
- Suspicious domain analysis — all flagged domains with TLD, query count, and risk level
- DNS C2 pattern analysis — at least 1 confirmed or suspected C2 channel with timing and encoding details
- Timeline correlation — DNS events mapped to the broader Operation Wire Tap attack phases
- DNS Threat Assessment Report — complete formal report with IOCs and recommended actions
Key Takeaways
- DNS is one of the most abused protocols because it traverses nearly all firewalls and is rarely inspected deeply
- DNS tunneling encodes data in subdomain labels, producing queries that are abnormally long (50+ characters)
- DNS C2 shows behavioral patterns: periodic queries, consistent lengths, TXT record requests, no corresponding web traffic
- The most powerful DNS analysis technique is temporal correlation — matching DNS anomalies to known exploitation events
- Every DNS IOC (domain, query pattern, source host) should be extracted and fed into your organization's threat intelligence
What's Next
In Lab 3.4 — Two Views, One Attack, you will combine network-level detection (Suricata/EveBox) with SIEM-level detection (Wazuh alerts) to reconstruct the complete Operation Wire Tap attack from two complementary viewpoints. This is how professional SOC teams build comprehensive incident timelines.
Lab Challenge: Suspicious DNS
10 questions · 70% to pass
Why is DNS considered one of the most dangerous protocols for attackers to abuse?
You observe a DNS query: 'aGVsbG8gd29ybGQ.dG9wIHNlY3JldA.tunnel.evil.com'. What indicates this is likely DNS tunneling?
What is the typical length threshold that distinguishes normal DNS queries from potentially tunneled ones?
Which DNS record type is most commonly abused for C2 communication because it can carry large payloads?
You find DNS queries to the same domain occurring exactly every 30 seconds from an internal host. What does this pattern indicate?
What is the strongest evidence that DNS tunneling is related to a specific exploitation event rather than unrelated background activity?
You identify a domain with these properties: registered 3 days ago, .xyz TLD, queried only via DNS (never via HTTP), random-looking name. What is your risk assessment?
In a DNS C2 channel, how does the attacker send commands BACK to the compromised host?
You extract three DNS IOCs from your investigation: a tunneling domain, a C2 domain, and an internal host IP. What is the recommended action priority?
An ET POLICY rule fires for a DNS query to a .onion domain, but the source host is an IT administrator's workstation. How should this be handled?
0/10 answered