DNS Activity to the Internetedit

Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.

Rule type: query

Rule indices:

  • filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100



  • Elastic
  • Network

Version: 3 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positivesedit

Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.

Rule queryedit

destination.port:53 and source.ip:( or or and not destination.ip:( or or or or or
or or or "::1" or "ff02::fb")

Threat mappingedit


Rule version historyedit

Version 3 (7.7.0 release)

Updated query, changed from:

destination.port:53 and ( network.direction: outbound or (
source.ip:( or or and not
destination.ip:( or or or or or or ff02\:\:fb or ) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.