A cloud-based DNS firewall, such as DigitalStakeout PDNS, can be an effective tool for threat hunting by security analysts. Here is a step-by-step guide on how a security analyst can use PDNS for threat hunting:

1. Set up PDNS: The first step in using PDNS for threat hunting is to set up the service. This typically involves starting by creating a free DNS account, configuring your network to send DNS data to PDNS, and setting up access to the PDNS web interface.

2. Collect and analyze DNS data: Once PDNS is set up, PDNS will begin collecting and analyzing DNS data from your network in real-time. This data can include DNS queries, responses, and other metadata such as the source and destination IP addresses of the traffic.

3. Identify indicators of compromise: One of the primary benefits of using PDNS for threat hunting is the ability to quickly identify indicators of compromise (IOCs) in DNS data. Some common IOCs that can be detected using PDNS include:

• Domain names associated with known malware or phishing campaigns
• DNS queries for non-existent domains (NX domains)
• DNS responses containing malicious payloads
• Sudden increase in the number of DNS queries or responses
  
• Low DigitalStakeout domain rank resolutions
  
• Sudden burst of new DigitalStakeout DNS Greywall entries
  

4. Investigate suspicious activity: If you identify any suspicious activity or IOCs using PDNS, it is important to investigate further to confirm the existence of a threat and to determine its nature and scope. This may involve conducting additional analysis of DNS data, as well as other types of data such as network traffic and system logs.
   

5. Take action: If you confirm the existence of a cyber threat, it is important to take action to mitigate the threat and prevent further damage. This may involve blocking malicious traffic by PDNS policy, quarantining infected devices, and implementing additional security measures to prevent connectivity to the malicious domain(s) and future attacks.