How does DNS tunneling works?
It’s a step-by-step process that relies on the openness of DNS to carry other traffic without detection.
Here’s how it works, step by step:
- The attacker registers a domain
The domain, like badsite.com, is controlled by the attacker and points to a server they own. - The attacker infects a computer
They use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel. - The client sends a DNS query
The infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request. - The query reaches the DNS resolver
The DNS resolver forwards the request to the appropriate servers to resolve the domain name. - The attacker’s server decodes the request
The attacker’s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses. - The server encodes a response
The attacker’s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out. - The client receives and decodes the response
The infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed. - The process repeats as needed
If the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response.
Attackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets.
Essentially, DNS tunneling uses the trusted DNS protocol as a cover for sending hidden data. This lets attackers maintain a covert channel between a compromised system and their command server.
CREDITS: paloaltonetworks_blog
Different types of DNS tunneling attacks:
Example: The SUNBURST malware, used in the SolarWinds breach (2020), included DNS-based C2 functionality. It used subdomain queries to pass encoded victim information to attacker-controlled nameservers.
Example: In 2017, researchers uncovered DNSMessenger, a PowerShell-based backdoor that used DNS TXT records to exfiltrate data without writing files to disk.
Example: OilRig, an APT group active since 2014, used DNS tunneling to map network structures and identify targets before escalating attacks.
Example: Astrill VPN and HA Tunnel Plus both use DNS tunneling to bypass captive portals or ISP restrictions—often observed in enterprise and commercial travel networks.
Example: The Decoy Dog campaign (2023) used DNS tunneling to deliver staged payloads. TXT and CNAME records were used to distribute encoded data back to infected hosts.
For mitigation, detection and prevention strategies follow the blog og Paloalto Networks.
PRACRICAL COMING SOON FOR ADVANCE DNS C2 OPERATION USING dnscat2