DNS Tunneling Detection

DNS Tunneling Detection

NotesLearn how to effectively investigate, contain and remediate this incident by following our Response Playbook.

Threat actors continuously seek ways to bypass perimeter defenses, and the Domain Name System (DNS) provides the perfect camouflage. Because DNS protocols are the backbone of internet connectivity, organizations rarely restrict or deeply inspect its traffic. DNS Tunneling attacks directly exploit this inherent blind spot by weaponizing the protocol itself, covertly encapsulating malicious communications within seemingly normal DNS queries and responses.

Lumu continuously analyzes your network metadata for these covert behavioral patterns. Initially, suspicious DNS traffic may be flagged as an anomaly to assist your team with proactive threat hunting. However, the moment this activity displays the definitive, high-confidence traits of an active tunnel, Lumu automatically escalates it into a confirmed DNS Tunneling incident.

The detection of this incident empowers your response team by providing crucial visibility into two primary attack objectives:

  • Data Exfiltration: Uncovers attempts to smuggle sensitive intellectual property or credentials out of your network. Attackers achieve this by encoding stolen data directly into the subdomain strings of outbound DNS queries, routing them to their own authoritative servers for decoding.
  • Network Infiltration (Command and Control): Identifies threat actors actively pushing malicious payloads or commands into your environment to maintain persistent C2 sessions. By hijacking DNS response fields—specifically TXT records—adversaries can bypass traditional inbound firewall rules to establish reverse shells on compromised devices.

This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context to support the decision-making of your organization's response team.

Collected Data

The Lumu Portal captures specific metadata to facilitate forensic analysis and determine the severity of the covert communication. The data collected includes:

  • DNS records: The malicious root domain and the specific Authoritative Servers receiving the tunneled queries.
  • Affected endpoints: The specific internal devices generating the anomalous DNS traffic.
  • Data transferred: The exact volume of data uploaded and downloaded during the connection.

Incident Details

The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:

1. Summary: This section provides the foundational timeline and operational metrics of the incident. It displays the Creation Date, First and Last Record, and the First Affected Endpoint to help you establish the exact window of the covert communication. Allowing you to correlate the tunneling timeframe with other potential network anomalies.

2. Tunneling Activity: This section aggregates the most relevant data regarding the covert channels and establishes a visual timeline to help you determine the severity of the compromise.

  • Aggregated Metrics: Displays the total number of Affected Endpoints, the volume of DNS Records generated, and the total Data Transferred (broken down by Uploaded and Downloaded volume). This allows analysts to determine exactly how much organizational data has potentially been exfiltrated and how many malicious commands might have entered the network.
  • Data Exfiltration Timeline: A graph displaying the data transferred over the incident's timeframe. Analysts can filter by specific endpoints and instantly see spikes in data uploads or downloads to map the attacker's activity.
  • Endpoint Involved List: An expandable breakdown of the affected assets. It displays the timeframe of the infection, the endpoint name, its environment label, the specific data transferred by that machine, and the number of records it generated. This display of information can help you quickly assess the potential severity of the attack.
  • Records Sample: Displays a snapshot of up to 20 raw DNS records associated with the endpoint. This information can be used to look for high variability in the subdomains, such as long, randomized strings. Because DNS tunneling relies on encoding data directly into the query itself, this constant variability provides visual confirmation that data is actively being encapsulated.

Incident Data Export

While the Lumu Portal displays the most critical data points visually, complex investigations—such as decoding the exfiltrated payloads—require full visibility. Lumu allows in-depth investigations with its Export Feature.

You can export data using the download button located at the top of the page (1) or using the button below the Summary section (2).


Exportable Data

You can export the following for this incident:

  • All Records (.csv)
    Downloads the complete, raw dataset of the entire incident lifecycle directly from the Tunneling Activity header.
  • Download endpoint activity (.csv)
    Allows analysts to extract the specific DNS records and transfer metrics for a single, isolated endpoint to assist in targeted remediation and forensic decoding.


      Get an AI Summary

          • Related Articles

          • DNS Tunneling Response Playbook

            The Lumu DNS Tunneling Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...
          • Incident Details - Detections

            The Detections Panel is the core investigative hub within the Lumu Portal. When suspicious activity on your network escalates into a confirmed incident, this panel serves as your team's starting point for rapid triage and response. It is designed to ...
          • Incident Details - ATT&CK Matrix

            To effectively contain and eradicate a cybersecurity incident, responders must move beyond simply knowing what happened and understand how and why it happened. This is where the MITRE ATT&CK framework becomes an invaluable asset for forensic ...
          • Lumu Incident Detections

            In today's evolving threat landscape, perimeter defenses alone are insufficient to protect an organization's critical assets. As adversaries develop more sophisticated methods to bypass traditional security controls, the ability to rapidly detect, ...
          • Unusual Login Detection

            Learn how to effectively investigate, contain and remediate this incident by following our Response Playbook. Unusual Login incidents are anomalous authentication events that deviate from the normal patterns of an administrative or user account, ...