We are testing the DNS tunnel detection and I am unclear as to what I should be seeing in the way of alerts.
PC A is running a C2 beacon to an off-network host. All DNS traffic is sent to Server A on our network.
Server A forwards DNS queries to Zscaler ZEN IP over GRE/IPsec tunnel
I see the DNS traffic in DNS Insights logs. Each DNS request is marked as:
|DNS Tunnels & Network Apps||DNS Tunnel & Network App Categories|
The DNS tunnel domain would be included in an alert so that a security analyst would be prompted to investigate.