Catching data that hides inside DNS
DNS tunneling smuggles data out of a network inside ordinary-looking lookups. You can't eyeball it, and there's far too much of it to inspect by hand, so detection has to be statistical, interpretable, and built to scale.
DNS is the phone book of the internet, and almost nobody watches it. That's exactly why attackers love it: you can encode stolen data into a sequence of DNS queries, a7f3b2.exfil.example.com, 9c1e4d.exfil.example.com, and it slides right past most defenses as "normal" lookups. This is DNS tunneling, and it was the problem behind NetSec Analyzer.
Why you can't just look
Two things make manual detection hopeless:
- Volume. A real network makes millions of DNS requests. No human is reading those.
- Camouflage. Individually, a tunneled query looks like any other lookup. The signal isn't in one request, it's in the distribution of many.
So the job isn't "spot the bad query." It's "measure the shape of the traffic and find where it stops looking like DNS."
Features that separate signal from noise
The detector runs on features engineered from DNS query characteristics:
# The tells of tunneling, per domain:
features = {
"subdomain_entropy": shannon_entropy(subdomain), # encoded data looks random
"query_length": len(qname), # tunnels pack bytes in → long
"request_rate": queries_per_window(domain), # exfiltration is chatty
"unique_subdomains": distinct_labels(domain), # thousands under one apex
}High entropy + long names + a burst of unique subdomains under one domain is a fingerprint that benign traffic almost never leaves.
Spark, because it has to scale
I built the pipeline on Apache Spark, not as a resume flex, but because packet volumes blow past what a single machine holds in memory. Distributed processing was the requirement. Spark also let me generate synthetic tunneled traffic to exercise the detector against a known ground truth.
Interpretable on purpose
I deliberately chose engineered features over a black-box deep model. A security report has to be defensible, an analyst needs to see why a domain was flagged (its entropy, its cadence) and decide whether to act. "The neural net said so" doesn't hold up in an incident review.
The best detection isn't the one with the highest score on your test set. It's the one an analyst can act on at 3 a.m. and defend the next morning.
The honest next step is a labeled evaluation set so I can report real precision and recall instead of "it flags the synthetic tunnels", and a streaming mode so it catches exfiltration as it happens, not after.