A method for detecting camouflaged network connections based on the DNS protocol in an organization's corporate network
Abstract
A method for detecting camouflaged network connections based on the DNS protocol in an organization's corporate network
Incoming article date: 21.01.2026The article is devoted to solving the problem of detecting camouflaged (hidden) network connections based on the DNS protocol (Domain Name System) in an organization's corporate network. The research is aimed at developing a method for detecting camouflaged (hidden) network connections in an organization's corporate network. The proposed method is based on calculating the entropy of subdomain names, thresholds for the number of responses received from the DNS server, and the proportion of unique subdomains for each domain. Its use makes it possible to detect all types of DNS tunnels in the circulating network traffic of the corporate network, which is confirmed by the results of the experiment conducted as part of the study.
Keywords: tunneling, DNS protocol, camouflaged network connection, entropy, network connection analysis, information security