Cisco Systems, Inc.
Detection of DNS (domain name system) tunneling and exfiltration through DNS query analysis

Abstract:

In one embodiment, a method includes collecting DNS (Domain Name System) communications, analyzing the DNS communications, and identifying DNS tunneling or exfiltration based analysis of the DNS communications. Analyzing the DNS communications includes identifying a distinct query count for each of a plurality of clients over a specified time period and a data transfer direction between the clients and one or more servers, and categorizing the DNS communications based on session features associated with at least one of query type, transfer capability, and server response. An apparatus and logic are also disclosed herein.