Spot covert DNS exfiltration signals fast and confidently. Tune thresholds with realistic traffic metrics. Export evidence, prioritize alerts, and act with clarity.
| Scenario | Total Queries | Suspicious | NXDOMAIN % | TXT % | Avg Sub Len | Entropy | Unique Subs |
|---|---|---|---|---|---|---|---|
| Typical office hour traffic | 12000 | 240 | 6 | 2 | 14 | 3.0 | 180 |
| CDN / app spikes | 30000 | 900 | 12 | 4 | 18 | 3.4 | 600 |
| Possible tunneling pattern | 15000 | 1600 | 28 | 18 | 33 | 4.3 | 2100 |
This calculator converts multiple DNS signals into a single risk score (0–100). Each signal is normalized to a 0–1 range, then combined using weights.
DNS is ubiquitous, permitted through many boundaries, and often lightly inspected. Attackers exploit this by encoding data into subdomains or record payloads, then relying on recursive resolvers to relay traffic. Because DNS is chatty by nature, suspicious patterns can blend into normal application lookups. A structured calculation helps teams compare time windows consistently and quickly surface outliers.
No single metric proves tunneling. Higher subdomain entropy suggests randomized or encoded strings, while longer labels and more labels per query may reflect chunking. Elevated unique subdomain counts imply rapid label churn, common when data is segmented across requests. NXDOMAIN spikes can appear when generated labels are not registered. A noticeable share of TXT queries may indicate larger payload needs.
This calculator normalizes each input into a 0–1 range using practical thresholds, then applies weights to reflect typical impact. Suspicious-rate, entropy, and label length receive more influence than response size, so the score remains stable when benign record sizes vary. The output is a 0–100 value that supports simple banding: low, medium, or high risk. For best results, compute scores hourly and daily, then chart trends. Consistent increases, especially outside business hours, deserve attention. Pair the score with policy context, ticket history, and resolver logs for reliable prioritization. across all segments.
Start with baselines from known-good networks and separate by environment, such as office users, servers, and development labs. Small organizations may have noisier percentages, so compare absolute counts alongside rates. Add allow-lists for trusted domains and monitoring for newly observed domains. Revisit thresholds after major DNS changes, new security products, or business migrations to prevent drift.
A high score should trigger triage, not immediate containment. Pivot on the queried domain, then enumerate client sources, query timing, and label structure. Inspect the left-most label for encoding artifacts, and correlate with endpoint telemetry or proxy logs. If feasible, capture packets to validate record types and payload sizes. Document findings and export reports for auditing and incident notes.
It estimates how strongly your DNS metrics resemble tunneling behavior. It is a weighted comparison of normalized indicators, not a definitive verdict. Use it to rank windows, domains, or clients for investigation.
No. High entropy can also appear in CDNs, tracking, and some security products. Combine entropy with label length, query volume patterns, unique subdomain churn, and record-type usage to reduce false positives.
Start with two weeks of known-good data and calculate typical ranges per network segment. Set thresholds near the upper tail, then review alerts weekly. Adjust after DNS architecture changes or major application deployments.
TXT records can carry more data than many common records, so some tunnels prefer them for payload transfer. However, TXT is also used legitimately for verification and email authentication, so context is essential.
Not always. Misconfigurations, typos, and aggressive service discovery can raise NXDOMAIN. It becomes more concerning when paired with long, random-looking labels and many unique subdomains from a small set of clients.
Identify the queried domain and top source clients, then inspect label structure and timing. Correlate with endpoint and proxy telemetry. If feasible, capture packets to confirm record types and payload sizes, then document findings.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.