DNS tunneling can be used by attackers to encode data of non-DNS programs and protocols within DNS queries and responses. This provides attackers with an open back channel with which they can transfer files or remotely access the system. DNS tunnel detection uses machine learning to analyze the behavioral qualities of DNS queries, including n-gram frequency analysis of domains, entropy, query rate, and patterns to determine if the query is consistent with a DNS tunneling-based attack. Combined with the firewall’s automated policy actions, this allows you to quickly detect C2 or data theft hidden in DNS tunnels and to automatically block it, based on your defined policy rules.

You can analyze the sinkholed DNS queries by viewing the threat logs (Monitor > Logs, then select the log type from the list):