Skill

performing-dns-tunneling-detection

From asi

Detects DNS tunneling via Shannon entropy on query names, length distributions, TXT payloads, and subdomain cardinality using scapy packet capture and stats. For data exfiltration hunts.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When conducting security assessments that involve performing dns tunneling detection

SKILL.md

Similar Skills

performing-dns-tunneling-detection

5.9k

Detects DNS tunneling by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and checking subdomain cardinality with scapy packet analysis. For security ops and data exfiltration hunts.

3 files

cybersecurity-skills

performing-dns-tunneling-detection

Detects DNS tunneling attacks by calculating Shannon entropy of query names, analyzing lengths and TXT payloads, and identifying high subdomain cardinality using scapy packet capture in Python. Useful for threat hunting in data exfiltration scenarios.

3 files

cybersecurity-skills-zh

detecting-dns-exfiltration-with-dns-query-analysis

Detects DNS tunneling data exfiltration by analyzing query entropy, subdomain length, volume, TXT record abuse, and response sizes via passive DNS monitoring. For security incident response and threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Performing DNS Tunneling Detection

When to Use

When conducting security assessments that involve performing dns tunneling detection

When following incident response procedures for related security events

When performing scheduled security testing or auditing activities

When validating security controls through hands-on testing

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and statistical methods on query name characteristics.

import math from collections import Counter def shannon_entropy(data): if not data: return 0 counter = Counter(data) length = len(data) return -sum((c/length) * math.log2(c/length) for c in counter.values()) # Legitimate domain: low entropy (~3.0-3.5) print(shannon_entropy("www.google.com")) # DNS tunnel: high entropy (~4.0-5.0) print(shannon_entropy("aGVsbG8gd29ybGQ.tunnel.example.com"))

Key detection indicators:

High Shannon entropy in query names (> 3.5 for subdomain labels)

Unusually long query names (> 50 characters)

High volume of TXT record requests to a single domain

High unique subdomain count per parent domain

Non-standard character distribution in labels

Examples

from scapy.all import rdpcap, DNS, DNSQR packets = rdpcap("dns_traffic.pcap") for pkt in packets: if pkt.haslayer(DNSQR): query = pkt[DNSQR].qname.decode() entropy = shannon_entropy(query) if entropy > 4.0: print(f"Suspicious: {query} (entropy={entropy:.2f})")