DNS Tunneling
What is DNS Tunneling?
DNS TunnelingA covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
DNS tunneling abuses the fact that DNS traffic (UDP/TCP port 53) is allowed almost everywhere and is rarely deeply inspected. Malware encodes payload bytes in subdomain labels (e.g., base32 chunks under attacker.example.com) and the attacker's authoritative server replies with TXT, CNAME, NULL, or A records carrying the response or commands. Because resolution is recursive, the data flows out even when the host can only reach an internal resolver and never touches the attacker's IP directly. Tooling like dnscat2, Iodine, and Cobalt Strike's DNS C2 implement this pattern; throughput is low but stealthy.
Real campaigns rely on it. The 2020 SUNBURST backdoor in SolarWinds Orion used a domain generation algorithm to build subdomains of avsvmcloud.com, then encoded the victim's internal Active Directory domain and list of installed security products into those DNS queries as a two-way C2 channel. The Iranian-linked OilRig/APT34 and DNSpionage operations likewise leaned on DNS tunneling for tasking and exfiltration.
Detection relies on signals attackers struggle to hide: high query rate per host, unusually long labels, high subdomain entropy (base32/base64/hex strings), atypical record types like TXT or NULL, and never-before-seen domains. Defences include forcing all clients through controlled resolvers, blocking direct outbound port 53 at the egress firewall, DNS sinkholing, query rate limits, and anomaly analytics in EDR/NDR.
flowchart LR M[Infected host] -->|"data.b32label.attacker.com"| R[Internal resolver] R -->|recursive lookup| AUTH[Attacker authoritative NS] AUTH -->|"TXT/CNAME reply = command"| R R --> M AUTH -.reassembles.-> D[(Stolen data and C2)]
● Examples
- 01
An infected host sends queries like a1b2c3.exfil.attacker.com whose labels encode stolen data.
- 02
dnscat2 establishes a TXT-based shell over DNS to bypass an HTTP-only egress proxy.
● Frequently asked questions
What is DNS Tunneling?
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration. It belongs to the Network Security category of cybersecurity.
What does DNS Tunneling mean?
A covert channel that encodes arbitrary data inside DNS queries and responses on UDP/TCP port 53, frequently used for command-and-control and data exfiltration.
How do you defend against DNS Tunneling?
Defences for DNS Tunneling typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS Tunneling?
Common alternative names include: DNS C2, DNS exfiltration.