Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6 we can think there is a kind of cover-channel communication attempt.
Source table → network.dns
SecOpsTooLongDNSResponse
Monitor TXT and ANY responses to detect infiltrations or possible reflection attacks.
Source table → network.dns
SecOpsTLDFromDomainNotInMozillaTLD
Detect a domain with a TLD, not in Mozilla TLD List.
Source table → domains.all
SecOpsHostDNSBasedCovertChannelIpv6Record
Detects if a tripe A DNS response contains or not an IP announced. In case the response contains a non-announced IPv6, we can think there is a kind of cover-channel communication attempt.