This is a really solid breakdown of DNS as a detection layer. A lot of teams still treat DNS as just infrastructure, but as you pointed out, it’s one of the richest sources of context across the entire attack lifecycle.

I especially liked the emphasis on “newly observed domains” over just newly registered ones. That shift toward environment-specific baselining is where detection maturity really starts to show. Also, the practical notes around Zeek and duplicate data sources are spot on, redundancy in visibility is often overlooked until it’s too late.

One thing I’d add from a process perspective is how important it is to track and validate these detection use cases over time. As environments evolve and noise patterns change, maintaining detection quality becomes just as important as building it. Using structured tracking with software test management tools like Tuskr (https://tuskr.app/) can actually help security teams treat detections like test cases, ensuring they stay relevant, tuned, and effective as part of a continuous improvement cy