DNStunnling

DNStunnling is a term used to describe the technique of transmitting data covertly through the Domain Name System (DNS) by encoding information within DNS queries and responses. It is commonly referred to as DNS tunneling and is used to establish a low-bandwidth communication channel between an internal endpoint and a remote host outside the network, often for data exfiltration or remote command and control. The method leverages the fact that DNS traffic is frequently allowed through firewalls and is widely cached, enabling data to be sent in small increments without triggering many standard controls. In typical implementations, a client encodes payload data into the labels of DNS queries (for example, subdomains) or into certain DNS resource records, and a DNS server controlled by an attacker decodes the data when it responds. The channel can operate over UDP or TCP and may use standard DNS ports, sometimes employing patterns that resemble ordinary DNS traffic to avoid detection.

Usage and detection: DNS tunneling is most often associated with cybercrime, including data exfiltration and malware

Defensive measures focus on reducing exposure and increasing visibility: restrict outbound DNS to trusted resolvers, deploy