DNS Tunneling
What is DNS Tunneling?
DNS TunnelingA covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
DNS tunneling abuses the fact that DNS traffic (UDP/TCP port 53) is allowed almost everywhere and is rarely deeply inspected. Malware encodes payload bytes in subdomain labels (e.g., base32 chunks under attacker.example.com) and the attacker's authoritative server replies with TXT, CNAME, or NULL records containing the response or commands. Tooling like dnscat2, Iodine, or Cobalt Strike's DNS C2 use this pattern. Bandwidth is low but stealthy. Detection relies on high query rate per host, unusually long labels, high subdomain entropy, base64/hex patterns, atypical record types, and TI feeds. Defenses include DNS proxying, sinkholing, query rate limits, anomaly analytics in EDR/NDR, and blocking unknown DNS resolvers via egress firewall.
● Examples
- 01
An infected host sends queries like a1b2c3.exfil.attacker.com whose labels encode stolen data.
- 02
dnscat2 establishes a TXT-based shell over DNS to bypass an HTTP-only egress proxy.
● Frequently asked questions
What is DNS Tunneling?
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration. It belongs to the Network Security category of cybersecurity.
What does DNS Tunneling mean?
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
How does DNS Tunneling work?
DNS tunneling abuses the fact that DNS traffic (UDP/TCP port 53) is allowed almost everywhere and is rarely deeply inspected. Malware encodes payload bytes in subdomain labels (e.g., base32 chunks under attacker.example.com) and the attacker's authoritative server replies with TXT, CNAME, or NULL records containing the response or commands. Tooling like dnscat2, Iodine, or Cobalt Strike's DNS C2 use this pattern. Bandwidth is low but stealthy. Detection relies on high query rate per host, unusually long labels, high subdomain entropy, base64/hex patterns, atypical record types, and TI feeds. Defenses include DNS proxying, sinkholing, query rate limits, anomaly analytics in EDR/NDR, and blocking unknown DNS resolvers via egress firewall.
How do you defend against DNS Tunneling?
Defences for DNS Tunneling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS Tunneling?
Common alternative names include: DNS C2, DNS exfiltration.
● Related terms
- network-security№ 1188
UDP
A connectionless transport protocol (RFC 768) that delivers individual datagrams between ports with minimal overhead but no reliability or ordering guarantees.
- attacks№ 335
DNS Amplification Attack
A reflection DDoS attack that abuses open DNS resolvers by sending small queries with the victim's spoofed IP, causing resolvers to send large DNS responses to the victim.
- attacks№ 338
DNS Hijacking
An attack that redirects DNS resolution to attacker-controlled answers by modifying client settings, router configurations, resolver responses, or authoritative DNS records.
- attacks№ 337
DNS Cache Poisoning
An attack that inserts forged records into a DNS resolver's cache so subsequent queries return attacker-chosen addresses until the TTL expires.
- network-security№ 508
ICMP
A network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions.
- network-security№ 1112
Subdomain Takeover
An attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.
● See also
- № 398Exfiltration
- № 407Fast Flux