# tcp\_dnstunneling

**Explanation**

This Netography Fusion Portal security event identifies DNS tunneling over TCP, a technique used to bypass traditional security measures by embedding data in DNS queries and responses. This event looks for network traffic that may be indicative of this technique, and generates an alert if detected.

**What to Look For**

To examine the results of the tcp\_dnstunneling event, customers should look for abnormal network traffic patterns, such as large numbers of DNS queries or responses. They should also analyze the payload of these DNS requests and responses for suspicious content that may indicate an attempt at DNS tunneling. On the endpoint side, customers should look for activity from known tools and utilities used for DNS tunneling, and examine processes and network connections for signs of compromise. By analyzing these indicators, customers can identify and remediate any instances of DNS tunneling on their networks.

**Related MITRE ATT\&CK Categories**

[Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/informational/tcp_dnstunneling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.