diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
index d3625a96c6db9..d4cef30f3b320 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/__mocks__/index.ts
@@ -146,10 +146,23 @@ export const formattedSearchStrategyResponse = {
               dns_name_query_count: {
                 terms: {
                   field: 'dns.question.registered_domain',
-                  size: 10,
-                  order: { unique_domains: 'desc' },
+                  size: 1000000,
                 },
                 aggs: {
+                  bucket_sort: {
+                    bucket_sort: {
+                      sort: [
+                        {
+                          unique_domains: {
+                            order: 'desc',
+                          },
+                        },
+                        { _key: { order: 'asc' } },
+                      ],
+                      from: 0,
+                      size: 10,
+                    },
+                  },
                   unique_domains: { cardinality: { field: 'dns.question.name' } },
                   dns_bytes_in: { sum: { field: 'source.bytes' } },
                   dns_bytes_out: { sum: { field: 'destination.bytes' } },
@@ -204,10 +217,23 @@ export const expectedDsl = {
       dns_name_query_count: {
         terms: {
           field: 'dns.question.registered_domain',
-          size: 10,
-          order: { unique_domains: 'desc' },
+          size: 1000000,
         },
         aggs: {
+          bucket_sort: {
+            bucket_sort: {
+              sort: [
+                {
+                  unique_domains: {
+                    order: 'desc',
+                  },
+                },
+                { _key: { order: 'asc' } },
+              ],
+              from: 0,
+              size: 10,
+            },
+          },
           unique_domains: { cardinality: { field: 'dns.question.name' } },
           dns_bytes_in: { sum: { field: 'source.bytes' } },
           dns_bytes_out: { sum: { field: 'destination.bytes' } },
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts
index 8fd81d5d14157..7043b15ebb4dd 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts
@@ -27,11 +27,7 @@ type QueryOrder =
 const getQueryOrder = (sort: SortField<NetworkDnsFields>): QueryOrder => {
   switch (sort.field) {
     case NetworkDnsFields.queryCount:
-      return {
-        _count: {
-          order: sort.direction,
-        },
-      };
+      return { _count: { order: sort.direction } };
     case NetworkDnsFields.dnsName:
       return { _key: { order: sort.direction } };
     case NetworkDnsFields.uniqueDomains:
@@ -39,6 +35,7 @@ const getQueryOrder = (sort: SortField<NetworkDnsFields>): QueryOrder => {
     case NetworkDnsFields.dnsBytesIn:
       return { dns_bytes_in: { order: sort.direction } };
     case NetworkDnsFields.dnsBytesOut:
+      return { dns_bytes_out: { order: sort.direction } };
   }
   assertUnreachable(sort.field);
 };