How can you identify potential DNS tunneling in a capture?

Detecting DNS tunneling relies on spotting anomalous DNS traffic, not just the presence of DNS queries. Tunneling often exfiltrates data by encoding it in DNS requests, which shows up as unusual patterns in the query stream. You’ll typically see unusually long domain names or a very high frequency of queries, as well as the use of uncommon DNS query types (for example TXT or other nonstandard types used to carry data) or queries to domains that look random or suspicious. That’s why the best approach is to look for those signs—long or frequent DNS queries, uncommon query types, and connections to suspicious domains—and to use specific Wireshark filters to inspect them efficiently. Filtering by dns.qry.name helps you examine the exact domain being queried, including unusually long or encoded-looking names. Filtering by dns.qry.type shows what kind of data is being requested (for instance TXT or NULL, which can be used for covert channels). Filtering by dns.flags.response lets you correlate queries with their responses to understand the query-response patterns and confirm whether a tunneling channel is being used. The other options miss this pattern-based detection. Focusing only on standard DNS queries can miss encoded data in long subdomain labels. DNS tunneling can indeed be detected in Wireshark, not invisible to the analyst. Filtering by IP address alone ignores the content and structure of the DNS queries themselves, which is where the telltale signs usually lie.