Try in Splunk Security Cloud


Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Web
  • Last Updated: 2018-09-06
  • Author: Bhavin Patel, Splunk
  • ID: 8169f17b-ef68-4b59-aae8-586907301221


Dynamic DNS services (DDNS) are legitimate low-cost or free services that allow users to rapidly update domain resolutions to IP infrastructure. While their usage can be benign, malicious actors can abuse DDNS to host harmful payloads or interactive-command-and-control infrastructure. These attackers will manually update or automate domain resolution changes by routing dynamic domains to IP addresses that circumvent firewall blocks and deny lists and frustrate a network defender’s analytic and investigative processes. These searches will look for DNS queries made from within your infrastructure to suspicious dynamic domains and then investigate more deeply, when appropriate. While this list of top-level dynamic domains is not exhaustive, it can be dynamically updated as new suspicious dynamic domains are identified.


Name Technique Type
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect web traffic to dynamic domain providers Web Protocols TTP
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly


source | version: 2