All topics ›
SOC Analyst ›
Network Sec
Network Sec · SOC Analyst Explain how you'd detect DNS tunneling using Splunk.
DNS tunneling = encoding data in DNS queries/responses to bypass firewalls. Detection patterns: (1) Unusually long subdomain names (legitimate DNS rarely has 200+ char subdomains): index=dns | eval subdomain_length=len(query) | where subdomain_length > 100. (2) High query volume from single client: index=dns | stats count by src_ip | where count > 1000 (per hour). (3) High entropy in subdomains (random-looking strings): use Splunk MLTK shannon entropy command or custom Python. (4) Unusual record types (TXT, NULL queries from clients): index=dns query_type IN (TXT, NULL) NOT src_ip IN (legit_resolver_list). Tools: Splunk Enterprise Security has DNS analytics; standalone: bandit / Suricata DNS rules; ML option: MLTK anomaly detection on DNS metrics.
Want the full explanation? This is the atomic answer suitable for
quick interview prep. For the structured deep-dive — including code samples,
strong-answer vs weak-answer notes, common follow-up questions, and how this fits
the larger soc analyst topic — see the full Q&A on Networkers Home:
→ SOC Analyst Interview Hub — Full Q&A with deep context
→ SOC Analyst Interview Hub — Full Q&A with deep context
How Networkers Home prepares students for this kind of question
This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.
→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation