DNS Tunneling — Spot the C2 Channel
Hard Network Forensics · 40 min
DNS Tunneling — Spot the C2 Channel
Scenario
One workstation has 30 minutes of Pi-hole DNS query logs (right pane). One of the apex domains being queried is being abused as a DNS-tunneling C2 channel — the attacker encodes commands and stolen data into long pseudo-random subdomain labels.
Find the apex domain that is the tunnel.
Telltale signs of DNS tunneling
- Very high query volume per apex — orders of magnitude above normal browsing patterns.
- Long, high-entropy subdomain labels — encoded base32/64 data, not human-readable words.
- Always-resolving — typically A or TXT records that return data-bearing responses.
- Uncorrelated to HTTP/S traffic — the host never browsed to that domain in the browser cache.
Answer format
Submit the apex domain only (no subdomain, lowercase):
suspicious-cdn.example(Example shape — not the answer.)
Hints
Hint 1 (−10 pts)
Count queries per apex domain in the log. One apex stands out with 200+ queries in 30 min, all with random-looking 30+ char subdomains.
Hint 2 (−10 pts)
Domains like cdn.cloudflare.com, sentry.io, www.google.com have normal patterns. The anomalous one is mining-stats.net with long base32-ish labels.
Hint 3 (−10 pts)
Answer: mining-stats.net
Lab environment · sandboxed iframe · auto-resets every 60 min