The DNS Security DNS tunnel detector now provides enhanced identification of malicious DNS tunnel activity by evaluating individual DNS queries in real-time to minimize data leakage. Previously, including with traditional DNS tunnel detectors, DNS Security relied on statistical analysis of query sequences, which can lead to data loss, as they require pattern observation across multiple queries, before detection is possible. However, the revamped DNS tunnel detector is able to evaluate individual DNS queries in real-time, enabling it to identify malicious tunneling activity from the very first query to the last. This can help protect your network from sophisticated strategies designed to evade session-based detectors and minimize initial data loss.

Additional configuration is not required if you have already enabled DNS Security and defined a policy action for Command and Control Domains, which is the parent category for the existing DNS Tunnel Detection DNS threat category.