Network Security
Vulnerability Management
Privileged Access Management 
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
DNS tunneling is one of the most common methods threat actors use for cyberattacks.
This technique works by hiding malware inside DNS queries and responses, allowing it to slip past firewalls and other network defenses.
In DNS tunneling, hackers use a normal DNS transaction to communicate with a malicious server that acts like the DNS authoritative server for a specific DNS zone.
Key takeaways:
- the DNS protocol is not safe by itself; you need to secure it to prevent specific threats
- hackers use DNS tunneling to hide and spread malicious software within legitimate DNS traffic
- DNS tunneling enables bad actors to evade detection while they exfiltrate data
- DNS security is the first line of defense against cybersecurity attacks
- for DNS tunneling to work, first the hacker needs to compromise the victim’s device
How Does DNS Tunneling Work?
DNS tunneling lets you move data across a network even if the protocol you’re using isn’t officially supported.
Hackers use this trick to sneak malware or stolen data through DNS queries. They might use common protocols like HTTP, SSH, or TCP, but they hide that traffic inside what looks like normal DNS communication.
In simple terms, they wrap chunks of data inside DNS packets.
These packets look normal, so they slip past network filters that only allow DNS. This way, the attacker avoids filtering and firewall detection.
5 steps of the DNS tunneling process
- First the threat actor enlists a domain and points it to a server that he controls and already has tunneling malware installed.
- Second, they infect the victim’s device with malware. Phishing, adware, and social engineering are common methods to obtain initial access. From then on, all DNS requests will be able to pass the firewall without facing any restrictions.
- After that, the Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
- The DNS resolver redirects the DNS query to the authoritative DNS server which has the tunneling software and is controlled by the threat actor.
- There you go! The cybercriminal has an almost untraceable, easy-to-use connection to his victim. Through this passage, the threat actor can exfiltrate information or he can run commands on the victim’s machine.
The hacker’s computer is harder to track, because actually there’s no direct connection between his device and the victim’s.
What Is DNS Tunneling Used for
Like many other IT tools and concepts, the DNS tunneling technique can be both useful and harmful:
- bad guys use tunneling to avoid detection and bypass the network’s security measures, like firewalls
- IT Administrators use it for making communication between networks safer and more efficient. Communicating through VPN networks, for example, is a legitimate way of using tunneling
In practice, DNS tunneling attacks result in:
- Data exfiltration: attackers sneak information out over DNS. Although this is not a very efficient way to obtain data from a victim’s computer, it works and it’s not easily detectable.
- Command and Control (C2): threat actors might use the Domain Name System convention to send commands to activate a remote access trojan (RAT) or other malware.
- IP-Over-DNS Tunneling: some utilities actualized the IP stack on the DNS inquiry reaction convention. That simplifies moving information by using standard communication programs like FTP, Netcat, SSH, etc.
How to Detect a DNS Tunneling Attack
There are two strong indicators that you might be a victim of DNS tunneling activity. Let’s first define those and then move forward to methods of detecting DNS tunneling.
Unusual Domain Requests
Say DNS tunneling malware hides encrypted data inside a domain name.
One way to spot it is by watching DNS requests closely. If you know what normal traffic looks like, odd or suspicious domain patterns will stand out.
High DNS Traffic Volume
A DNS request’s domain name can only be equal or less than 253 characters. To carry out data exfiltration or set up a highly interactive command and control protocol, an attacker will probably need to send out a lot of malicious DNS requests.
This will generate an abnormal traffic volume which should alert the IT team that something fishy is going on.
The techniques for observing DNS indicators of compromise (IoCs) and detecting a DNS tunneling attack fall in two categories:
Payload Analysis
Payload analysis means you should check for the following signs:
- the size of the request and answer
- unusual hostnames
- unusual DNS record types
- DNS lookups that try to violate policies that normally direct them to an internal DNS server
A usual hostname should be basic words, nothing encoded, with a normal percentage of numerical characters in domain names.
Traffic Analysis
Traffic analysis helps detect DNS anomalous behavior. Use it to check:
- the volume of DNS traffic for each of the IP addresses and per domain
- the number of hostnames per domain
- the geographic location of the DNS server that sent the inbound DNS query
Large amounts of DNS traffic pointing to geographical areas you have no connection with should look suspicious. You can also check the history of a domain. Try to learn when an A record (AAAA record) or NS record was created and added to a domain name.
How to Keep Safe from DNS Tunneling Attacks
Most companies consider the DNS protocol is safe and trustworthy by default. This is why few of them use traffic analysis to check DNS packets for malicious data. Instead, they rather focus all resources on email traffic, for example.
However, ignoring DNS security best practices brings serious risks to your infrastructure. For obvious reasons, you can’t just block a vital service, like DNS. So, here’s what you can do to protect against DNS tunneling attacks.
- Make sure that all your internal customers have their DNS queries routed to an internal DNS server, so you are able to reject any malicious domains.
- Use DNS logging to swiftly identify and counter potential DNS attacks.
- Create a DNS firewall to detect and prevent hackers’ intrusions.
- Use a real-time DNS security solution to identify odd DNS requests and network traffic patterns.
Detour Dog Attacks Explained by Ethical Hacker Glenn Wilkinson and Former Cybercrime Detective Adam Pilton
byu/liv_v_ei inHeimdalSecurity
How Can Heimdal® Help Mitigate DNS Tunneling Attacks?
Professionals at Heimdal® are here to help you protect against DNS based attacks and block malicious activities on the spot.
Heimdal’s DNS Security tool combines threat intelligence, machine learning, and AI-based prevention to spot and stop future threats (96% accuracy).
In 2025, Heimdal got exclusive rights to a proprietary method that uses advanced algorithms to assess domain risk based on input data processed through a computer system.
Heimdal® was the first to offer a system that incorporates genuine DNS over HTTPS, moving beyond the conventional rerouting of DNS packets.
By routing all DNS queries through an encrypted session using Hypertext Transfer Protocol Secure (HTTPs), the tool encrypts DNS traffic.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Wrapping Up
Cyberattacks did not happen daily in the 1980s. When researchers created the DNS, they weren’t too concerned about potential network security issues. This left multiple doors open to threat actors that followed.
DNS tunneling is one of those doors. Because DNS traffic is vital to our day-to-day activity, blocking it to avoid a DNS attack is not an option.
What you can and should do is use DNS monitoring tools and DNS filtering to detect and stop malicious traffic. This will keep your sensitive data and business safe.
If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube.
