How does DNS tunneling works?

It’s a step-by-step process that relies on the openness of DNS to carry other traffic without detection. dt_1 Here’s how it works, step by step:

  1. The attacker registers a domain
    The domain, like badsite.com, is controlled by the attacker and points to a server they own.
  2. The attacker infects a computer
    They use malware to gain control of a computer inside a target network. The computer becomes the client for the DNS tunnel.
  3. The client sends a DNS query
    The infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain of a DNS request.
  4. The query reaches the DNS resolver
    The DNS resolver forwards the request to the appropriate servers to resolve the domain name.
  5. The attacker’s server decodes the request
    The attacker’s server receives the DNS request. It decodes the embedded data and can send back commands or other data in DNS responses.
  6. The server encodes a response
    The attacker’s server encodes its own data as a DNS response. This could be an instruction for the infected computer to carry out.
  7. The client receives and decodes the response
    The infected computer receives the DNS response from the resolver. It decodes the data and takes action as instructed.
  8. The process repeats as needed
    If the data is too large for a single DNS message, the client and server split it into smaller parts. Each part is sent in its own DNS query or response.

Attackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the encoding and decoding of data within DNS packets.

Essentially, DNS tunneling uses the trusted DNS protocol as a cover for sending hidden data. This lets attackers maintain a covert channel between a compromised system and their command server.

CREDITS: paloaltonetworks_blog


Different types of DNS tunneling attacks:

dt_2 Example: The SUNBURST malware, used in the SolarWinds breach (2020), included DNS-based C2 functionality. It used subdomain queries to pass encoded victim information to attacker-controlled nameservers. dt_3 Example: In 2017, researchers uncovered DNSMessenger, a PowerShell-based backdoor that used DNS TXT records to exfiltrate data without writing files to disk.

dt_4 Example: OilRig, an APT group active since 2014, used DNS tunneling to map network structures and identify targets before escalating attacks.

dt_5 Example: Astrill VPN and HA Tunnel Plus both use DNS tunneling to bypass captive portals or ISP restrictions—often observed in enterprise and commercial travel networks.

dt_6 Example: The Decoy Dog campaign (2023) used DNS tunneling to deliver staged payloads. TXT and CNAME records were used to distribute encoded data back to infected hosts.

For mitigation, detection and prevention strategies follow the blog og Paloalto Networks.

PRACRICAL COMING SOON FOR ADVANCE DNS C2 OPERATION USING dnscat2