diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml
new file mode 100644
index 000000000..90a889dc2
--- /dev/null
+++ b/rules/network/net_dns_c2_detection.yml
@@ -0,0 +1,19 @@
+title: Possible DNS Tunneling
+status: experimental
+description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. 
+references:
+    - https://zeltser.com/c2-dns-tunneling/
+    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
+author: Patrick Bareiss
+date: 2019/04/07
+logsource:
+    product: dns
+detection:
+    selection:
+        parent_domain: '*'
+    condition: selection | count(dns_query) by parent_domain > 1000
+falsepositives:
+    - Valid software, which uses dns for transferring data
+level: high
+tags:
+    - attack.t1043