Overview

DNS tunneling and exfiltration is a technique used by attackers to bypass firewalls and DLP controls by encoding stolen data into DNS query subdomains. Legitimate DNS queries have predictable entropy and length patterns, while exfiltration queries contain encoded data with high Shannon entropy, unusually long subdomain labels, and high volumes of unique subdomains per parent domain.

This skill analyzes Zeek dns.log files (TSV format) to detect exfiltration indicators. The agent computes Shannon entropy for each subdomain component, identifies queries exceeding the 63-character DNS label limit, counts unique subdomains per parent domain, and flags domains that exceed configurable thresholds. These techniques detect tools like dnscat2, iodine, dns2tcp, and custom DNS tunneling implementations.

Prerequisites

Python 3.9 or later with math and collections modules (stdlib)
Zeek dns.log files in TSV format with standard field headers
Network capture data processed by Zeek 5.0+ or later
Understanding of DNS protocol structure and query types

Steps

Parse Zeek dns.log headers: Read the TSV file, extract the #fields header line to identify column positions for ts, id.orig_h, query, qtype_name, rcode_name, and answers.

Extract and decompose queries: For each DNS query, split the FQDN into subdomain labels and parent domain. Skip queries to known safe domains and internal zones.

Compute Shannon entropy: Calculate the information entropy of each subdomain label. Legitimate subdomains typically have entropy below 3.5, while encoded/encrypted data produces entropy above 4.0.

Detect long labels: Flag DNS labels exceeding 52 characters (approaching the 63-character maximum). Long labels are a strong indicator of data tunneling.

Count unique subdomains per domain: Track how many distinct subdomains each parent domain receives. Domains with more than 50 unique subdomains within the log window are suspicious.

Identify query volume anomalies: Calculate queries-per-minute per source IP per domain. Exfiltration tools generate sustained high-volume query streams that differ from normal browsing.

Score and rank domains: Combine entropy, label length, uniqueness count, and query volume into a composite risk score. Rank domains by score and output the top suspicious domains.

Generate detection report: Produce a JSON report with flagged domains, their evidence indicators, originating source IPs, and recommended response actions.

Expected Output

{
  "analysis_summary": {
    "total_queries_analyzed": 145832,
    "unique_domains": 3421,
    "flagged_domains": 3,
    "entropy_threshold": 3.5
  },
  "flagged_domains": [
    {
      "domain": "data.evil-c2.com",
      "unique_subdomains": 892,
      "avg_entropy": 4.72,
      "max_label_length": 61,
      "source_ips": ["10.0.1.45"],
      "risk_score": 9.4,
      "indicators": ["high_entropy", "long_labels", "high_subdomain_count"]
    }
  ]
}

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-exfiltration-over-dns-with-zeek

# Or load dynamically via MCP
grc.load_skill("detecting-exfiltration-over-dns-with-zeek")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Overview

Prerequisites

Python 3.9 or later with math and collections modules (stdlib)
Zeek dns.log files in TSV format with standard field headers
Network capture data processed by Zeek 5.0+ or later
Understanding of DNS protocol structure and query types

Steps

Parse Zeek dns.log headers: Read the TSV file, extract the #fields header line to identify column positions for ts, id.orig_h, query, qtype_name, rcode_name, and answers.

Extract and decompose queries: For each DNS query, split the FQDN into subdomain labels and parent domain. Skip queries to known safe domains and internal zones.

Compute Shannon entropy: Calculate the information entropy of each subdomain label. Legitimate subdomains typically have entropy below 3.5, while encoded/encrypted data produces entropy above 4.0.

Detect long labels: Flag DNS labels exceeding 52 characters (approaching the 63-character maximum). Long labels are a strong indicator of data tunneling.

Count unique subdomains per domain: Track how many distinct subdomains each parent domain receives. Domains with more than 50 unique subdomains within the log window are suspicious.

Identify query volume anomalies: Calculate queries-per-minute per source IP per domain. Exfiltration tools generate sustained high-volume query streams that differ from normal browsing.

Score and rank domains: Combine entropy, label length, uniqueness count, and query volume into a composite risk score. Rank domains by score and output the top suspicious domains.

Generate detection report: Produce a JSON report with flagged domains, their evidence indicators, originating source IPs, and recommended response actions.

Expected Output

{
  "analysis_summary": {
    "total_queries_analyzed": 145832,
    "unique_domains": 3421,
    "flagged_domains": 3,
    "entropy_threshold": 3.5
  },
  "flagged_domains": [
    {
      "domain": "data.evil-c2.com",
      "unique_subdomains": 892,
      "avg_entropy": 4.72,
      "max_label_length": 61,
      "source_ips": ["10.0.1.45"],
      "risk_score": 9.4,
      "indicators": ["high_entropy", "long_labels", "high_subdomain_count"]
    }
  ]
}

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add detecting-exfiltration-over-dns-with-zeek

# Or load dynamically via MCP
grc.load_skill("detecting-exfiltration-over-dns-with-zeek")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Overview

Prerequisites

Steps

Expected Output

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Network Anomalies with Zeek

Detecting DNS Exfiltration with DNS Query Analysis

Performing Network Traffic Analysis with Zeek

Hunting for Cobalt Strike Beacons

Hunting for DNS Tunneling with Zeek

Analyzing Network Flow Data with NetFlow

Prerequisites

Overview

Prerequisites

Steps

Expected Output

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting Network Anomalies with Zeek

Detecting DNS Exfiltration with DNS Query Analysis

Performing Network Traffic Analysis with Zeek

Hunting for Cobalt Strike Beacons

Hunting for DNS Tunneling with Zeek

Analyzing Network Flow Data with NetFlow