Skill

performing-dns-tunneling-detection

Detects DNS tunneling attacks by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and identifying high subdomain cardinality using scapy packet capture in Python. Useful for threat hunting in data exfiltration scenarios.

Python

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

使用熵分析和统计方法对查询名称特征进行分析，检测 DNS 流量中的 DNS 隧道指标。

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

performing-dns-tunneling-detection

5.9k

Detects DNS tunneling by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and checking subdomain cardinality with scapy packet analysis. For security ops and data exfiltration hunts.

3 files

cybersecurity-skills

performing-dns-tunneling-detection

Detects DNS tunneling via Shannon entropy on query names, length distributions, TXT payloads, and subdomain cardinality using scapy packet capture and stats. For data exfiltration hunts.

asi

detecting-dns-exfiltration-with-dns-query-analysis

Detects DNS tunnel data exfiltration via passive DNS monitoring, analyzing query entropy, subdomain lengths, query volumes, TXT record abuse, and response payload sizes.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

DNS 隧道检测

使用说明

使用熵分析和统计方法对查询名称特征进行分析，检测 DNS 流量中的 DNS 隧道指标。

import math from collections import Counter def shannon_entropy(data): if not data: return 0 counter = Counter(data) length = len(data) return -sum((c/length) * math.log2(c/length) for c in counter.values()) # 合法域名：低熵（~3.0-3.5） print(shannon_entropy("www.google.com")) # DNS 隧道：高熵（~4.0-5.0） print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))

关键检测指标：

查询名称香农熵过高（子域名标签 > 3.5）

查询名称异常长（> 50 字符）

单个域名的 TXT 记录请求量过高

每个父域名下的唯一子域名数量过多

标签中字符分布异常

示例

from scapy.all import rdpcap, DNS, DNSQR packets = rdpcap("dns_traffic.pcap") for pkt in packets: if pkt.haslayer(DNSQR): query = pkt[DNSQR].qname.decode() entropy = shannon_entropy(query) if entropy > 4.0: print(f"可疑：{query}（entropy={entropy:.2f}）")

DNS 隧道检测

使用说明

使用熵分析和统计方法对查询名称特征进行分析，检测 DNS 流量中的 DNS 隧道指标。

import math
from collections import Counter

def shannon_entropy(data):
    if not data:
        return 0
    counter = Counter(data)
    length = len(data)
    return -sum((c/length) * math.log2(c/length) for c in counter.values())

# 合法域名：低熵（~3.0-3.5）
print(shannon_entropy("www.google.com"))
# DNS 隧道：高熵（~4.0-5.0）
print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))

关键检测指标：

查询名称香农熵过高（子域名标签 > 3.5）
查询名称异常长（> 50 字符）
单个域名的 TXT 记录请求量过高
每个父域名下的唯一子域名数量过多
标签中字符分布异常

示例

from scapy.all import rdpcap, DNS, DNSQR
packets = rdpcap("dns_traffic.pcap")
for pkt in packets:
    if pkt.haslayer(DNSQR):
        query = pkt[DNSQR].qname.decode()
        entropy = shannon_entropy(query)
        if entropy > 4.0:
            print(f"可疑：{query}（entropy={entropy:.2f}）")