# dnstunneling

**Explanation**

The dnstunneling NDM is designed to detect DNS tunneling on your network. DNS tunneling is a technique used by malicious actors to bypass firewalls and security appliances to exfiltrate data from a network. The NDM monitors DNS queries and responses to detect any unusual or suspicious activity.

**What to Look For**

When examining the results of the dnstunneling NDM, look for patterns of DNS traffic that do not match typical behavior on your network. This can include a large volume of DNS queries or responses with long domain names or unusual query types. Additionally, look for network endpoints that are communicating with suspicious domains or IP addresses.

To remediate the issue, investigate the source of the suspicious DNS traffic and block any domains or IP addresses associated with the activity. Additionally, consider implementing DNS security solutions to prevent DNS tunneling and other DNS-based attacks.

**Related MITRE ATT\&CK Categories**

[Command and Control: Protocol Tunneling, Technique T1572 - Enterprise](https://attack.mitre.org/techniques/T1572)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/dnstunneling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.