This rule detects DNS queries that are resolved by unauthorized DNS servers, which may indicate malicious activities such as DNS hijacking or command and control communication. To function effectively, the rule relies on the established Network Resolution data model in Splunk, which should include accurate metadata about legitimate DNS servers within the organization's assets. The search query analyzes DNS resolution data to identify requests where the destination and source are categorized outside recognized DNS servers. Any DNS resolutions that fall outside the authorized list warrant further investigation to verify their legitimacy and to ensure that the asset list of DNS servers is up-to-date. Users must be cautious of potential false positives, as legitimate DNS queries may sometimes trigger the alert. Identifying and defining authorized DNS servers is crucial to minimize false alarms and strengthen the security posture against DNS-based threats.