Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

DNSANOMALY - DNS Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method detects suspicious communication in the DNS traffic. The method notifies about large data transfers using the TCP port 53 (caused by DNS zone transfers or by potential exfiltration of sensitive data from the company environment). The sensitivity of this detection can be adjusted in the TCPTransferLimit option.

This method is extended by the detection of usage of the DNS servers that are not allowed in the monitored network. This extension is activated by the choice of the filter DNSServers that define IP addresses of the allowed DNS servers.

The next extension is based on a simple model of used DNS servers. The purpose of this extension is to notify you that the monitored devices started to use DNS servers that were not widely used in the past. The LearnCycles parameter defines how many five-minute intervals it takes for the method to train the model that is used for detection. The MinimalRatio parameter defines the number of connections that the DNS server must have for its communication to be considered usual. If there are target DNS servers in the monitored network that should not report an event, you can exclude them from detection by setting the ServersToExclude parameter. Similarly, DNS clients can be excluded from detection with the ClientsToExclude parameter. Excluding DNS clients from detection can be useful in situations when recursive DNS servers are part of the monitored infrastructure. This type of server often has the role of a DNS client that communicates with a lot of different external DNS servers and therefore, it may produce many events.

This method consists of the following sub-methods:

  • TCPHighTraffic: Monitors the amount of DNS data transferred using a TCP protocol. If any device in the network exceeds the user-defined threshold of transferred data, it is reported.

  • ForbiddenServer: Reports communication with a DNS server that is not a part of the user-defined list of allowed DNS servers. This detection method is active if the DNSServers parameter is set.

  • UnusualServer: Reports the communication with a DNS server that has not been widely used by a client device. The detection is based on the statistics of data transferred between the client and DNS servers. This detection method is active if the DNSServers parameter is set.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP addresses. The right place for traffic monitoring is the Internet connection line.

Method parameters

General

  • WithoutResponse: Report of the communication to unauthorized or unusual DNS servers (even if there is no reply). The parameter is applied to the ForbiddenServer and UnusualServer submethod.

  • DNSServers: Name of the filter that defines the IP addresses of the DNS servers that are allowed to be used in the monitored network by the local security policy. The parameter is applied to the ForbiddenServer and UnusualServer submethod.

ForbiddenServer

  • PolicyExceptions: Name of the filter that defines the IP addresses of the devices that are allowed to communicate with arbitrary DNS servers.

UnusualServer

  • LearnCycles: Number of 5-minutes cycles intended for training the classifier. No event is reported during this time period.

  • MinimalRatio: Minimal ratio of the number of usages of the DNS server by the respective IP address to consider this server to be commonly used (in percentage).

  • ServersToExclude: Name of the filter that defines the IP addresses of the target DNS servers that are ignored within the classifier.

  • ClientsToExclude: Name of the filter with DNS clients for which there should be no events created.

TCPHighTraffic

  • TCPTransferLimit: Threshold of a minimal amount of data transferred by the DNS service using the TCP protocol (in bytes).

  • EnabledTCP: Name of the filter that defines the IP addresses of the devices that are allowed to transfer data by the DNS service using TCP (for example, DNS servers for zone transfers).

  • IgnoreInternal: Allows large DNS transfers using the TCP protocol that do not leave the monitored network to be ignored. When this is set to yes, only large transfers with external IP addresses are reported.

Assigned filter

Only flows whose source IP address matches the assigned filter will be processed.

Interpretation of results

This method is capable of detecting abuse of the DNS service for other undesirable activities, which typically include tunneling of the network traffic through the DNS protocol for a malicious purpose (for example, data exfiltration). A sudden change in the usage of DNS servers could indicate a malware infection.

TitleResults for “How to create a CRG?”Also Available inAlert