Read as
Last updated: April 29, 2026
Why this module exists. Almost every internet attack starts with a DNS query — beaconing to C2, exfiltration via DNS tunneling, phishing-link resolution, malware updating itself. DNS logs are the highest-signal-per-byte log source in your environment, and most SOCs underuse them.
Why this module exists. Almost every internet attack starts with a DNS query — beaconing to C2, exfiltration via DNS tunneling, phishing-link resolution, malware updating itself. DNS logs are the highest-signal-per-byte log source in your environment, and most SOCs underuse them.
What DNS logs reveal
- Beaconing — same source contacting same destination at fixed intervals
- Tunneling — long, high-entropy subdomain queries to attacker-controlled domains
- DGAs — algorithmic domain generation; queries to many random-looking domains in a burst
- Newly-registered domains — phishing infrastructure often registered minutes before campaigns
- Suspicious TLD usage — .top, .xyz, .tk see disproportionate malicious use
- Failed lookups in clusters — malware testing for typosquats or fallback domains
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants