Detect hosts connecting to dynamic domain providers

name: Detect hosts connecting to dynamic domain providers
id: a1e761ac-1344-4dbd-88b2-3f34c912d359
version: 11
date: '2026-03-10'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.
data_source:
    - Sysmon EventID 22
search: |
    | tstats `security_content_summariesonly` count min(_time) as firstTime
      from datamodel=Network_Resolution where
      DNS.query=*
      NOT DNS.query IN ("-", "unknown")
      by DNS.answer DNS.answer_count DNS.query DNS.query_count
         DNS.reply_code_id DNS.src DNS.vendor_product
    | `drop_dm_object_name("DNS")`
    | `security_content_ctime(firstTime)`
    | lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default
    | lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local
    | eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default)
    |fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
    | `detect_hosts_connecting_to_dynamic_domain_providers_filter`
how_to_implement: "First, you'll need to ingest data from your DNS operations. This can be done by ingesting logs from your server or data, collected passively by Splunk Stream or a similar solution. Specifically, data that contains the domain that is being queried and the IP of the host originating the request must be populating the `Network_Resolution` data model. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of Dynamic DNS providers. Please consider updating the local lookup periodically by adding new domains to the list of `dynamic_dns_providers_local.csv`.\n This search produces fields (query, answer, isDynDNS) that are not yet supported by Mission Control Queue and therefore cannot be viewed when a finding is raised. These fields contribute additional context to the finding. To see the additional metadata, add the following fields, if not already present, to Mission Control Queue. Event Attributes (Configure > Findings and Investigations > Add New field):\n* **Label:** DNS Query, **Field:** query\n* **Label:** DNS Answer, **Field:** answer\n* **Label:** IsDynamicDNS, **Field:** isDynDNS\n"
known_false_positives: Some users and applications may leverage Dynamic DNS to reach out to some domains on the Internet since dynamic DNS by itself is not malicious, however this activity must be verified.
references: []
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A dns query $query$ from your infra connecting to suspicious domain
    risk_objects:
        - field: src
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Data Protection
        - Prohibited Traffic Allowed or Protocol Mismatch
        - DNS Hijacking
        - Suspicious DNS Traffic
        - Dynamic DNS
        - Command And Control
    asset_type: Endpoint
    mitre_attack_id:
        - T1189
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/dyn_dns_site/windows-sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog