Why are DNS logs useful for detection, and what threats can you find in them?
Short answer
Almost everything touches DNS, so DNS logs reveal threats other sources miss: command-and-control beaconing (regular callbacks to a domain), DNS tunneling and exfiltration (high volume of long, encoded subdomains), and algorithmically generated (DGA) domains. You detect these through patterns like query regularity, entropy, record types, and volume rather than single bad lookups.
DNS is one of the most underrated log sources in a SOC. Because nearly every network action begins with a name lookup, DNS gives near-universal visibility — and attackers rely on it too. This is a senior-leaning question because the value is in the patterns, not individual queries.
Command-and-control beaconing
Malware that calls home often resolves its C2 domain on a regular interval. In DNS logs that shows up as periodic, machine-like queries to the same domain — every 60 seconds, say — with low jitter. Humans browse irregularly; beacons are metronomic. Detecting the regularity (and rare or newly registered domains) flags C2 even when the C2 traffic itself is encrypted.
DNS tunneling and exfiltration
Because DNS is almost always allowed outbound, attackers abuse it as a covert channel. They encode stolen data into long, high-entropy subdomains (a8f3...e2.exfil.evil.com) and read responses (often TXT records) for instructions. The tells are abnormal query length, high entropy, unusual record types (lots of TXT or NULL), and a high volume of unique subdomains under one parent domain.
DGA domains
Some malware uses Domain Generation Algorithms to compute hundreds of pseudo-random domains so defenders can't simply block one. The signature is many NXDOMAIN (non-existent) responses for high-entropy, gibberish-looking names as the malware hunts for the live one.
Detect on patterns, not single lookups
The common thread: you rarely catch these from one query. You aggregate — regularity, entropy, length, record-type mix, NXDOMAIN rate, and newly seen domains.
A modern wrinkle
DNS over HTTPS can hide queries from your resolver logs, so SOCs increasingly force internal resolvers and block external DoH to keep visibility.
Why this matters
An analyst who mines DNS for behavioral patterns can catch stealthy C2 and exfiltration that endpoint or proxy logs miss — exactly the kind of layered thinking senior interviewers probe for.
Likely follow-ups
- What does DNS beaconing look like compared to normal browsing?
- How does DNS tunneling smuggle data out, and what is the tell?
- How does DNS over HTTPS (DoH) complicate DNS-based detection?