DNS logs are one of the most powerful network telemetry sources for SOC operations. Almost every attack — malware infection, C2 communication, phishing, data exfiltration, beaconing, ransomware — depends on DNS at some stage.
Because DNS is fundamental to Internet communication and rarely blocked, attackers abuse it heavily for malware callbacks, domain generation algorithms (DGAs), command-and-control, tunneling, and stealthy exfiltration.
This chapter explains DNS logs in full-scale, ultra-practical SOC depth, including raw log samples, detection patterns, SIEM queries, IOC extraction, and full attack timelines.
What DNS Logs Capture
DNS logs show:
-
Which domain was requested
-
Which host made the request
-
Timestamp
-
Query type (A, AAAA, TXT, MX…)
-
Response IP
-
NXDOMAIN events
-
Query results (success/failure)
-
DNS servers used
-
Frequency of requests (beacons)
-
DNS return codes
DNS logs reveal intent even before malware executes payloads.
Sources of DNS Logging
DNS logs come from:
-
BIND / named (
/var/log/named/) -
systemd-resolved
-
Unbound
-
dnsmasq
-
Windows DNS Server logs
-
Cloud DNS logs (AWS Route53, Azure DNS, GCP DNS Logging)
-
Firewall DNS proxies
-
EDR DNS telemetry
-
Suricata DNS logs (EventType=dns)
-
Zeek dns.log
All forward to SIEM for analysis.
Real DNS Log Examples (SOC-Level)
Below are raw DNS logs exactly the way analysts see them.
1. Normal DNS Request
Jan 10 04:12:22 dns-server named[2221]: client 10.0.0.5#50255: query: google.com IN A
2. Suspicious Random Subdomain (DGA Malware)
client 10.0.0.5#40255: query: gdja92oqwela.xjpwqz.biz IN A
Indicates algorithm-generated domains.
3. C2 Beacon via DNS
client 10.0.0.8#52211: query: config.updates-checkin.net IN A
Pattern: unusual domain + periodic requests.
4. DNS Tunneling Attempt (Large TXT Record Requests)
client 10.0.0.12#53312: query: dGhpcy1pcy1leGZpbHRyYXRpb24uc3RyaW5n.baddomain.com IN TXT
Base64-like
= DNS tunneling for exfiltration.
5. Malware Droppers
query: payload.cdn-shady-download.net IN A
Source of initial malware download.
6. Phishing Domain Lookup
query: login-office365-security.com IN A
DNS logs catch phishing before browsing happens.
7. NXDOMAIN Storm (DGA Behavior)
query: asd92j9asdja9.com → NXDOMAIN
query: q2u9djasd9929.com → NXDOMAIN
query: 9asdj92jasdz.com → NXDOMAIN
Hundreds of failed lookups = infected system.
Key DNS Log Fields Analysts Must Understand
1. Query Domain
Primary indicator of malicious activity.
2. Query Type
-
A / AAAA → normal
-
TXT → tunneling
-
NULL → malware
-
MX → phishing infrastructure
3. Response Code
-
NOERROR → valid
-
NXDOMAIN → DGA / malware fallback
4. Response IP
Certain IP ranges = known malicious infra.
5. Query Frequency
Beacon interval detection relies on this.
6. Client IP
Identifies compromised host.
7. Resolver Used
Internal DNS servers or external suspicious resolvers.
Attack Behavior Visible in DNS Logs
1. Malware Command-and-Control
Malware asks:
beacon-123.randomdomain.xyz
Small periodic lookups → C2 beaconing.
2. DGA (Domain Generation Algorithm) Malware
Domains like:
oqwje92jqpz.biz
alsdjq029asja.org
kss21p9qq99.co
Usually:
-
Random-looking
-
Repeated NXDOMAIN
3. DNS Tunneling / Data Exfiltration
Long queries with:
-
Base32/Base64
-
Hex
-
Random long strings
-
TXT queries
Example:
dGhpcy1pcy1zZWNyZXQuc3RyaW5n.attacker.com
4. Phishing Domains
office365-authenticator-login.com
paypal-verification-check.net
DNS sees this before the user’s browser.
5. Malware Download Infrastructure
cdn-update-mirror.net
dropper.evilcdn.ru
DNS logs catch dropper requests.
6. Beaconing at Fixed Intervals
Every 60 seconds:
status.checkin-xyz.net
This is how RATs and backdoors operate.
7. Crypto Miners
Domains:
-
pool.minexmr.com -
mine.xmrpool.net
DNS logs detect unauthorized mining.
8. Cobalt Strike Beacon
Domains like:
aaa-update-service.com
cdn-sec-check.net
DNS behavior is small and periodic.
SIEM Queries (Practical SOC Usage)
Detect DGA domains
length(domain) > 25 AND domain contains random patterns
Detect DNS tunneling
query_type:TXT AND query_length > 100
Detect NXDOMAIN storms
rcode:NXDOMAIN AND count > 20 in 1 minute per client
Detect newly registered malicious domains
domain_age < 30 AND category:unknown
Detect malware C2
domain IN threat_intel_list
Detect repeated beaconing
same_domain AND interval between queries < 90 seconds
Detect suspicious download domains
domain:*cdn* AND domain:*download*
Detect suspicious TLDs
domain:*.ru OR domain:*.su OR domain:*.cn
Full Attack Timeline Using DNS Logs (Practical Case)
Step 1 — Phishing Link Clicked
query: login-office365-security.com
Step 2 — Malware Downloader Contact
query: payload.droppercdn.ru
Step 3 — Malware Fetches C2 Domain
query: system-checkin-status.net
Step 4 — C2 Beaconing Begins
Every 60 seconds:
query: status.system-checkin-status.net
Step 5 — DNS Tunneling Detected
TXT query with long base64 strings
Step 6 — Data Exfiltration via DNS
large encoded TXT queries → attacker.com
DNS logs reveal the entire kill chain before other logs activate.
Analyst Workflow Using DNS Logs
-
Extract suspicious domains
-
Check domain age + threat intel
-
Identify client host (possible infected machine)
-
Review frequency of queries
-
Check for DGA or random domains
-
Look for tunneling (TXT, long queries)
-
Correlate with proxy/firewall logs
-
Check endpoint (Sysmon) for malware execution
-
Build full timeline
-
Escalate incident if malicious
DNS logs are extremely effective because nearly all malware relies on DNS at some stage.
Intel Dump
-
DNS logs reveal domain queries, response codes, IPs, query types, and frequency.
-
Malicious behavior includes DGA domains, C2 beaconing, tunneling, phishing, and dropper infrastructure.
-
High-risk indicators: random domains, newly registered domains, TXT queries with long strings, NXDOMAIN storms.
-
SIEM queries detect tunneling, C2 communication, abnormal domains, and DGA patterns.
-
DNS logs expose full attack flow from phishing → malware → beaconing → data exfiltration.