Wireshark Lab: Detecting DNS Exfiltration in PCAP Traffic
Learn how to detect DNS exfiltration in Wireshark PCAP files. Step-by-step lab walkthrough covering key filters, indicators of compromise, and CySA+ CS0-003 exam tips.
DNS exfiltration is a data theft technique where an attacker encodes stolen data inside DNS queries and sends it to an attacker-controlled DNS server. Because DNS traffic is rarely blocked by firewalls and often overlooked by security teams, it makes a highly effective covert channel. For the CySA+ CS0-003 exam, DNS exfiltration falls under Domain 1 — Security Operations and is a key technique in the threat hunting and network traffic analysis sections.
Why DNS Is Used for Exfiltration
DNS is trusted. Almost every network allows DNS traffic outbound on port 53 — block it and nothing works. Attackers exploit this trust by encoding data (Base32 or Base64) inside DNS query subdomains. Instead of querying google.com, the malware queries aGVsbG8gd29ybGQ.attacker.com — the subdomain contains the stolen data. The attacker’s DNS server receives the query, decodes the subdomain, and reconstructs the stolen file. No direct connection to the attacker is ever made — just normal-looking DNS traffic.
What to Look For in Wireshark
Open your PCAP in Wireshark and filter for DNS traffic using: dns. Then look for these four red flags. First, abnormally long query names — legitimate DNS queries are short (google.com, microsoft.com). Exfiltration queries are 50-200+ characters. Second, high query frequency — hundreds of DNS queries per minute to the same domain. Third, unusual top-level domains — attackers often use newly registered domains or uncommon TLDs (.xyz, .top, .click). Fourth, no corresponding response — exfiltration queries often generate NXDOMAIN responses since the subdomain doesn’t need to resolve.
Step-by-Step Wireshark Analysis
Step 1 — Apply the DNS filter: type dns in the Wireshark filter bar and press Enter. Step 2 — Sort by Info column and look for unusually long query strings. Step 3 — Right-click a suspicious query → Follow → UDP Stream to see the full conversation. Step 4 — Check the query length: Edit → Find Packet → search for dns.qry.name.len > 50 to find abnormally long hostnames. Step 5 — Check query frequency: Statistics → DNS to see which domains are queried most. Step 6 — Export suspicious packets: File → Export Specified Packets for further analysis or incident documentation.
Key Wireshark Filters for DNS Exfiltration
Use these filters during your analysis. To show all DNS traffic: dns. To find long query names: dns.qry.name.len > 40. To find a specific suspicious domain: dns.qry.name contains “suspicious-domain”. To show only DNS queries (not responses): dns.flags.response == 0. To find NXDOMAIN responses: dns.flags.rcode == 3. To find high-frequency queries to one domain: use Statistics → Conversations → UDP and sort by packets.
CySA+ Exam Takeaways
DNS exfiltration is a covert channel technique that abuses trusted DNS traffic to bypass firewalls. Key indicators include abnormally long query subdomains, high query volume to a single domain, unusual TLDs, and NXDOMAIN responses. In Wireshark, use the dns filter combined with dns.qry.name.len to identify suspicious queries. For the CySA+ exam, know that DNS tunneling tools like iodine, dnscat2, and dns2tcp are commonly used by attackers and that detecting them requires behavioral analysis, not just signature matching.
🔊
Audio Reading
Browser reads the article aloud · Chrome & Edge recommended
Speed0.9x
Ready — click Play to start
Watch the full video walkthrough on YouTube — includes live PCAP demonstration.
[…] More from Study Resources 🦈Wireshark: Detecting DNS Exfiltration15 min · Tools & Labs 🚨IR Phase Sequencing: Triage vs Escalation10 min · Incident Response 📊SOC KPI Selection […]
[…] More from Study Resources 🦈Wireshark: Detecting DNS Exfiltration15 min · Tools & Labs 🚨IR Phase Sequencing: Triage vs Escalation10 min · Incident Response 📊SOC KPI Selection […]