Hunting for DNS Tunneling with Zeek When to Use - When hunting for data exfiltration over DNS covert channels - After threat intelligence indicates DNS-based C2 frameworks targeting your industry - When dns.log shows unusually high query volumes to specific domains - During investigation of suspected data theft where no HTTP/S exfiltration is found - When monitoring for tools like iodine, dnscat2, DNSExfiltrator, or DNS-over-HTTPS tunneling Prerequisites - Zeek deployed on network tap or SPAN port capturing DNS traffic - Zeek dns.log with full query and response fields - SIEM platform for dns…