DNS Tunneling
Encoding arbitrary data inside DNS queries and responses to smuggle traffic past firewalls that allow DNS but block direct connections.
DNS tunneling encodes payload bytes into the labels of DNS query names (`<base32-data>.tun.attacker.com`) and into TXT or NULL record answers, turning DNS into a covert bidirectional channel. Because most networks let port-53 traffic out unfiltered, it is a reliable way to exfiltrate data or run interactive C2 from a compromised host. Tools like iodine and dnscat2 implement it; OilRig, FrameworkPOS, and DNSMessenger malware have used it in the wild. Detection looks for high-volume queries to one authoritative zone, abnormally long labels, high entropy in subdomain names, and unusual record-type mixes.
Reference
Related terms
See also
Referenced on
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Over HTTPS Abuse: How Encrypted DNS Creates Security Blind Spots
- DNS Tunneling Attack: How Data Is Smuggled Through Port 53
- Fast Flux DNS: How Botnets Hide Behind Rapidly Rotating IP Addresses
- How to Report Malware and Botnet Command-and-Control Traffic From an IP Address