Performing DNS Tunneling Detection

Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration.

Published by @mukul975·0 agent reads / 30d·0 saves·Updated June 14, 2026

Performing DNS Tunneling Detection

When to Use

When conducting security assessments that involve performing dns tunneling detection
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Instructions

Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and statistical methods on query name characteristics.

import math
from collections import Counter

def shannon_entropy(data):
    if not data:
        return 0
    counter = Counter(data)
    length = len(data)
    return -sum((c/length) * math.log2(c/length) for c in counter.values())

# Legitimate domain: low entropy (~3.0-3.5)
print(shannon_entropy("www.google.com"))
# DNS tunnel: high entropy (~4.0-5.0)
print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))

Key detection indicators:

High Shannon entropy in query names (> 3.5 for subdomain labels)
Unusually long query names (> 50 characters)
High volume of TXT record requests to a single domain
High unique subdomain count per parent domain
Non-standard character distribution in labels

Examples

from scapy.all import rdpcap, DNS, DNSQR
packets = rdpcap("dns_traffic.pcap")
for pkt in packets:
    if pkt.haslayer(DNSQR):
        query = pkt[DNSQR].qname.decode()
        entropy = shannon_entropy(query)
        if entropy > 4.0:
            print(f"Suspicious: {query} (entropy={entropy:.2f})")

Bundled with this artifact

5 files

Reference files that ship alongside this artifact. Agents pull these in only when the task needs them.

More on the bench

Devsecops Ssdlc Appsec Cursor Rule

Cursor rules for secure coding, secret handling, dependency hygiene, authentication, authorization, security testing, and compliance documentation.

cybersecurity-soc+1

Audit Skills

Expert security auditor for AI Skills and Bundles. Performs non-intrusive static analysis to identify malicious patterns, data leaks, system stability risks, and obfuscated payloads across Windows, macOS, Linux/Unix, and Mobile (Android/iOS).

sickn33 and contributors

cybersecurity-soc+2

VibeSec Skill

This skill helps Claude write secure web applications. Use this when working on any web application or when a user requests a scan or audit to ensure security best practices are followed.

cybersecurity-soc+2

Sharebench · Public bench

Connect via MCP.

Add the public bench to any AI tool. Your agents read every artifact you see — no signup needed.

1Pick your tool

# Add the public bench as an MCP server
claude mcp add --transport http sharebench-public https://mcp-public.sharebench.ai

# Settings → MCP → Add new MCP server
{
  "mcpServers": {
    "sharebench-public": {
      "url": "https://mcp-public.sharebench.ai"
    }
  }
}

# Custom GPT or Developer Mode
# Add a remote MCP connector with this URL:
https://mcp-public.sharebench.ai

# Append to ~/.codex/config.toml
[mcp_servers.sharebench_public]
url = "https://mcp-public.sharebench.ai"

2Ask your agent for an artifact

Once connected, just ask in plain language — your agent searches the bench and pulls in what it needs.“Pull the brand voice from sharebench and rewrite this draft.”