Which of the following is the best data source for detecting DNS tunneling activity?
DNS logs provide the full query and response details needed to detect tunneling.
Why this answer
DNS logs contain the queries and responses; analyzing them for unusual domain patterns, large query volumes, or odd record types can reveal tunneling.