Learn about the DNS tunneling detection features of the
DNS Security service.
DNS tunneling can be used by attackers to encode data
of non-DNS programs and protocols within DNS queries and responses.
This provides attackers with an open back channel with which they
can transfer files or remotely access the system. DNS tunnel detection
uses machine learning to analyze the behavioral qualities of DNS
queries, including n-gram frequency analysis of domains, entropy,
query rate, and patterns to determine if the query is consistent
with a DNS tunneling-based attack. Combined with the firewall’s
automated policy actions, this allows you to quickly detect C2 or
data theft hidden in DNS tunnels and to automatically block it,
based on your defined policy rules.
You can analyze the sinkholed DNS queries by viewing the threat
logs (Monitor > Logs, then select the log
type from the list):