BreachHorizon
technical

DNS query monitoring for SMBs: cheap detection that catches malware C2

Laurens VanhaeckeJun 12, 20268 min readReviewed by Laurens Vanhaecke

DNS query monitoring is the single highest-signal, lowest-cost detection control most SMBs have never turned on — and attackers are counting on that.

Every malware family that phones home has to resolve a domain first. Ransomware staging infrastructure, RATs waiting for commands, infostealers exfiltrating credentials — they all generate DNS queries before a single byte of payload moves across the wire. If you are logging those queries and comparing them against threat intelligence, you will see the infection before your EDR fires, before your SIEM lights up, and often before the attacker has finished their coffee.

This is not a theoretical advantage. It is a structural one. DNS sits at the base of almost all IP communication, it is queryable at scale on commodity hardware, and the logging overhead is negligible. For an SMB without a dedicated SOC, that combination is hard to beat.

Why DNS sees almost every malware behavior first

When a piece of malware executes on an endpoint, the first thing it almost always does is reach out to its operator. That means resolving a hostname. The operating system hands that query to the configured DNS resolver, and the resolver logs it — if you have told it to.

The timing advantage here is real. CrowdStrike's threat intelligence consistently shows that the median time between initial access and the first C2 callback is under two minutes. By contrast, behavioral EDR engines like CrowdStrike Falcon or Microsoft Defender for Endpoint need to observe enough process behavior to build a conviction score before they alert. That takes time. DNS resolution happens before any of that behavior accumulates.

There is also a coverage advantage. Not every endpoint has EDR installed. A managed switch, a VoIP phone, a network printer, an IoT sensor on the factory floor — none of those run CrowdStrike. But they all use DNS. A centrally logged DNS resolver sees traffic from every device on the network, regardless of whether that device can run an agent.

Finally, DNS is hard for attackers to avoid. They can encrypt payloads, they can use legitimate cloud services for staging, they can rotate IP addresses hourly. But unless they compromise your internal resolver or route traffic through a fully encrypted DNS-over-HTTPS channel you are not monitoring, the query still lands somewhere you can see.

The three things DNS monitoring detects that EDR often misses

Domain generation algorithm (DGA) traffic. Malware families like Emotet, Qakbot, and dozens of active ransomware loaders use DGAs to generate hundreds of candidate C2 domains algorithmically. The malware queries all of them; only the ones the attacker has registered respond. EDR sees process behavior. DNS monitoring sees the flood of NXDOMAIN responses from domains with high entropy and no prior resolution history — a pattern that is nearly impossible to generate legitimately and trivial to flag.

Fast-flux and bulletproof hosting. Attackers rotate the IP addresses behind a domain every few seconds to defeat blocklists. The domain itself stays constant. If you are only monitoring IP-layer traffic, you will block one address and miss the next rotation. DNS monitoring on the domain string catches every query regardless of where that domain points at any given moment.

DNS tunneling for data exfiltration. Tools like dnscat2 and iodine encode data inside DNS query strings and TXT records, turning your resolver into an exfiltration channel. Exfiltration through DNS bypasses almost every firewall rule because UDP port 53 is universally allowed. The signature is obvious in query logs: extremely long subdomain strings, high query volume to a single second-level domain, and TXT record lookups that have no business justification. EDR does not see this at all unless the specific tool has a known signature. DNS logs make it trivially detectable.

Free options: Quad9, NextDNS, Cloudflare for Families

If your budget is zero, you still have three usable options. None of them give you raw query logs by default, but all of them provide upstream threat blocking that eliminates the worst of the known-bad infrastructure.

Quad9 (9.9.9.9) blocks malicious domains at resolution time using threat intelligence aggregated from over 20 partners including IBM X-Force and Abuse.ch. It is free, privacy-focused, and requires no account. You get blocking but no per-query logging. Useful as a baseline; not useful for forensics.

Cloudflare for Families (1.1.1.2 for malware blocking, 1.1.1.3 for malware plus adult content) is similarly free, similarly log-free for the end user, and Cloudflare's network makes it fast. Same limitation: you are consuming their threat intel, not building your own visibility.

NextDNS is where the free tier becomes genuinely useful for detection. The free plan gives you 300,000 queries per month with full query logging, customizable blocklists, and a web dashboard. For a small office with 20 users, 300,000 queries will last most of the month. You can see every domain every device has queried, filtered by device, exportable to CSV. That is real visibility. When you hit the limit, logs stop but blocking continues. For most SMBs, the $19.90/year pro plan is an obvious buy — unlimited logs, retained for 24 months.

The catch with all free options: they require you to point your network's DNS at an external resolver. That means modifying your router's DHCP settings to hand out the new resolver IP, or configuring it at the firewall level. If you are using a NinjaOne-managed environment, you can push that DNS configuration via policy in about ten minutes.

Paid options worth it: Cisco Umbrella, DNSFilter, ControlD

Cisco Umbrella is the enterprise standard and the name most MSPs recognize. The SMB-tier pricing starts around $2.20 per user per month. What you get over free options: Cisco Talos threat intelligence (one of the largest private threat intel operations in the world), Investigate integration for domain reputation lookups, granular policy by user group, and — critically — the ability to export logs to a SIEM. If you are feeding logs into Microsoft Sentinel or a similar platform, Umbrella's log format is well-documented and connector support is mature. The downside is that Umbrella's interface is built for enterprise administrators. It is not particularly friendly for a two-person IT team.

DNSFilter is the Umbrella alternative that actually fits SMB operational complexity. Per-device or per-user pricing, a clean dashboard, AI-driven domain categorization that catches newly registered malicious domains faster than traditional blocklist approaches, and MSP-friendly multi-tenant management. Log export is included. Pricing starts around $1 per user per month at volume. Several mid-market MSPs I have spoken with have moved their books from Umbrella to DNSFilter specifically because the management overhead dropped significantly without meaningful detection loss.

ControlD is the underrated option in this space. It is built on Windscribe's infrastructure, supports DNS-over-HTTPS and DNS-over-TLS natively, and offers per-device routing rules that let you send different query streams to different upstream resolvers. For an environment with segmentation requirements — say, a manufacturing floor that should never query social media domains — ControlD's rule flexibility is hard to match at its price point. Log export exists but is less polished than DNSFilter. Worth evaluating if you have specific per-segment policy needs.

Skip: OpenDNS (Cisco Umbrella's consumer brand) unless you are already in it. The enterprise pivot means the SMB tier receives less development attention than Umbrella proper.

What logs to keep, what to alert on

At minimum, log every DNS query with: timestamp, source IP, queried domain, query type (A, AAAA, MX, TXT, PTR), response code (NOERROR, NXDOMAIN, SERVFAIL), and resolved IP if applicable. Most managed resolvers give you this. If you are running your own resolver — Pi-hole, Technitium, or Windows DNS Server — enable query logging explicitly and ship those logs to wherever you aggregate.

Retention: 90 days is the practical minimum for incident response. If you get a breach notification from a third party on day 60, you need to reconstruct what happened. 12 months is better. Storage is cheap.

Alert on these patterns immediately:

  • Queries to domains less than 7 days old (use whois or VirusTotal API lookups against your query logs)
  • NXDOMAIN rate per source IP exceeding 50 per hour — DGA indicator
  • Query strings exceeding 50 characters in the subdomain component
  • More than 100 TXT record queries in a 24-hour window from a single source
  • Any query matching known C2 domains in threat feeds (Abuse.ch URLhaus, Emerging Threats DNS blocklist)
  • Queries to dynamic DNS providers (duckdns.org, no-ip.com, ddns.net) from endpoints that have no business using them

Do not alert on every blocked query. Volume will bury you. Block silently, log everything, and alert only on the pattern categories above.

Building the simple weekly review

You do not need a SIEM to get value from DNS logs. A 20-minute weekly review with a structured checklist catches most of what matters.

Monday morning, pull the previous week's query logs. Sort by query count per domain, descending. The top 20 are almost always Microsoft 365, Cloudflare, Google, your LOB application vendors. Anything in the top 20 that you do not recognize immediately gets a VirusTotal lookup and a whois check. One unknown domain in your top 20 is more interesting than a thousand blocked queries to known adware networks.

Next, filter for NXDOMAIN responses only. Sort by source IP. Any endpoint generating more than 200 NXDOMAIN responses in a week is worth investigating. Normal endpoints generate almost none — users do not type domain names that do not exist. Malware does.

Then filter for query types: pull all TXT and PTR lookups. TXT lookups outside of email infrastructure (SPF, DKIM verification) are unusual. A workstation querying TXT records for an external domain repeatedly is a tunneling indicator.

Finally, cross-reference any new domains first seen this week against your threat feed of choice. The free Abuse.ch Feodo Tracker exports a DNS blocklist you can diff against your new-domains list in a spreadsheet in under five minutes.

Document what you found, even if it is nothing. Three weeks of clean logs followed by a DGA spike on week four is only meaningful if you have the three clean weeks as a baseline.

If you are using NinjaOne for endpoint management, you can automate the log pull and basic pattern matching with a scheduled script that posts results to a Teams or Slack channel. That takes the weekly review from 20 minutes to 5.

DNS query monitoring is not a replacement for EDR, firewall logging, or identity monitoring. It is an additive layer that costs almost nothing and provides early warning that the other layers routinely miss. The SMBs that get hit hardest by ransomware are not the ones that lacked a $50,000 SIEM — they are the ones that had no visibility into what their endpoints were talking to at 2 AM on a Saturday. DNS logging closes that gap.


Related: How we assess SMB security posture — our methodology


Run the free Exposure Report and validate public-surface findings

See what attackers see — before they do.

Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.