Support Library
DNS Tunneling (Data Exfiltration)
Compromised endpoints exfiltrate data via DNS to attacker-controlled authorities.
Threat Model
Compromised endpoints exfiltrate data via DNS to attacker-controlled authorities.
Attack Path
Payload is encoded in high-entropy labels and exchanged through repetitive query patterns or TXT records.
Detection Techniques
Analyze logs for long random subdomains, TXT spikes, and low-reputation destination domains.
Mitigation Strategies
Enable DNS logging, anomaly detection, strict egress resolver policy, and rapid endpoint containment.
Scoring Impact (tie to Panopticon scoring model)
Confirmed tunneling is critical; permissive egress controls increase baseline risk.
How DNS Panopticon Detects This
- Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
- Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
- Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
- Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.
Operator Checklist
- Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
- Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
- Document the root cause and the final fix in your runbook to shorten future incidents.