# dns\_lookup\_tunneling **Explanation** This event is triggered by Netography's Fusion Portal when it detects a pattern of Domain Name Service (DNS) requests that are consistent with DNS being used as a tunnel for non-DNS traffic. Attackers often use protocol tunneling to evade network monitoring, circumvent network boundary restrictions, or defeat DLP controls. In a DNS tunnel, attacker malware running on a compromised host will encode messages or TCP/IP packets into the host and subdomain portion of an otherwise normal DNS resolution request for a domain controlled by the attacker. These requests will be forwarded to the attacker's Domain Name Server, and the DNS replies sent by that server will include encoded responses or TCP/IP packets. In this way the attacker can communicate over DNS. This NDM detects a scenario where a large number of DNS requests have been observed for different hosts within a single domain within a short period of time. This pattern of activity is indicative of DNS tunneling. **What to Look For** Examine the DNS traffic associated with the alarm. In a DNS tunnel, data is encoded in the subdomain and hosts portions of the query, so they will appear nonsensical and not readable by a human. DNS tunnels also rarely use "A" or "AAAA" query types, so investigators should look for anomalous volumes of MX, CNAME, or TXT queries. Investigate the source of these requests for malware infection or unauthorized software, and check DNS logs for any other hosts making DNS lookup requests for the offending domain. **Related MITRE ATT\&CK Categories** [Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dns_lookup_tunneling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.