DNSQUERY - DNS Query Volume Anomaly

Method description

This method detects an increased number of DNS queries sent by one station. The number of DNS queries is counted for the last hour. The event is reported if the number is n-times greater than the average of the other stations, where n is defined by the Multiplicator parameter. The average is calculated only from stations that send more than MinimalQueryLimit queries. DNS servers can be excluded from this detection (if the value of the ExcludeDNS parameter is set to yes (the default value is no)).

This method consists of the following submethod:

• QueriesCount: Monitors the number of DNS queries sent by devices in the monitored network and reports if the number of queries is significantly increased.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP addresses. The right place for traffic monitoring is the central switch.

Method parameters

• MinimalQueryLimit: Threshold for the minimum count of DNS queries sent by a single device to include the device in the detection.

• Multiplicator: Coefficient intended for computing the dynamic threshold. The threshold is evaluated as a multiplication of this coefficient and the network average.

• ExcludeDNS: Name of the filter that defines the IP addresses that are allowed to send an increased number of DNS queries.

Assigned filter

Only flows whose source IP address matches the assigned filter will be processed.

Interpretation of results

This method reliably alerts an increased number of DNS queries, which can indicate an excessive DNS server load, network attack, the presence of malicious applications, or even data exfiltration through the DNS protocol.