What Is DNS Tunneling?

In the past decade, there has been a digital upgrade in the world. More and more businesses are moving towards a more online system, whether promoting their business through a website or selling their products online.

However, some negative aspects of digitalization come in the form of cyber crimes. There has been an increasing number of cases of cyber abuse and hackers attacking different sites, causing various losses.

What Is DNS Tunneling?

DNS Tunneling is a way in which cyber criminals attack a DNS server and use it for data exfiltration. A DNS server can be compared to a phone directory containing all the IP addresses of the different sites. And in this DNS, admins can request DNS queries or requests into a database.

As a result, online criminals and hackers use DNS tunneling as a way to enter the DNS server. After entering the server, the attacker can ‘tunnel’ information to and from DNS tunnels as they please. This is known as data exfiltration. The attacker can use this tunnel to introduce malware into a site, keep an eye on the activity, or even steal data. These are DNS tunneling attacks.

What Is DNS?

Domain name systems are what DNS stands for. Every website has a domain name, which a user may use to look for it online. To direct users to the websites, they wish to view, computers employ IP addresses, also known as internet protocol addresses. This keeps everything operating smoothly and without any issues.

Each device has a specific IP address, which comprises a special set of digits. You may visit other websites with the help of their unique numbers or IP addresses. However, it might be challenging to recall the many IP addresses for the various websites. As a result, each IP address is associated with a domain name in English. Domain names are significantly simpler to remember than an IP address.

How Does DNS Tunneling Affect a Site?

DNS servers are not the most secure as they allow DNS queries to pass through the firewall yo the DNS resolver easily and send queries. The attackers used this to their advantage in DNS tunneling. They register to a target domain names where they want to be directed.

The attacker then issues a command and creates and takes command of a channel. This channel is then used to introduce malware through malware software on the attacker’s computer. When the traffic goes from the attacker’s computer to the top level domain servers, it carries malware. And when the traffic flows from the server to the criminal’s computer, it contains important and useful information. With this data exfiltration path, the attacker is able to gain access over sensitive data.

The DNS requests are always allowed to move through the firewalls. Therefore a connection can be easily made between the victim’s compromised system and attacker using a DNS server. However, there is no direct connection between the attacker’s server and the attacked server, which makes it almost impossible to trace the attacker.

How To Identify DNS Tunneling?

DNS tunneling may be intricate to detect and trace, but it is not impossible. DNS tunneling uses malware to issue commands and connect to a target DNS server without any link to the attacker. The attacker controlled domain can be issued commands by the cyber attacker.

This makes it complicated, but with the knowledge of some signs, DNS tunneling can be easily detected. Certain detection markers for DNS tunneling are;

Requests For Unusual Domains:

DNS tunneling works if the attacker owns a domain in the target area. A domain is a set of sites controlled by one business or organization. The attacker can send DNS request to DNS resolver for unusual domains that may not exist.

This is a way to gain access to the internal DNS server and make a tunnel. But you can also use it to look for any possible DNS attacks. Therefore, if there is any newly launched domain coupled with an unusual amount of requests for an unknown domain, or an unusual DNS record type can be a signal toward a possible DNS tunneling attack.

Uncommon or Unusual Domain Requests:

While the name might be similar, it is a slightly different issue. In DNS tunneling, malware encodes data inside a requested domain name. Therefore, requests for a domain name can be thoroughly examined as a preventive measure.

This can result in finding any requests for atypical domains with domain pointing to the server that do not exist. This can be an indication that someone is trying to attack. Additionally, in this way, you can differentiate fake and genuine traffic from each other. Modern domain generation algorithms and network detection can detect this form of malicious activity.

High Volume of DNS Traffic:

The maximum number of characters that a DNS request can carry in a domain is 253 characters. However, in order to carry out commands or steal information, there is a need to transfer huge amounts of data and hence characters.

As a result, any cybercriminal or attacker must launch multiple requests to get more characters which as a results increase the DNS traffic or in some cases email traffic. This is a way which attacker exploit DNS protocols and hence provides a way to monitor and prevent any possible DNS attacks.

If there is an unusual increase in the traffic of the server, this indicates an upcoming attack. A frequent inspection of the server and traffic analysis, the requests received by the server can be used as a preventive measure against any attacks.

All in all, you can take some measures to detect any DNS tunneling attacks and stop or fight against them. The first way is to carry out a payload analysis. This is how any unusual transfer and data communication are checked. If there is a high amount of data being exchanged by the user, it can indicate a possible DNS tunnel.

In addition to that, payload analysis can also catch any requests made for any atypical domain names that do not exist or even for an unusual amount of requests made for a certain domain name. This comes under the umbrella of malicious DNS requests which can lead to malicious queries. A thorough payload analysis can easily distinguish between malicious traffic and legitimate traffic among the overall browser traffic.

The second way is to take a look and analyze the DNS traffic. While a DNS tunnel is made and, in effect, a large amount of data is being exchanged (in the form of malware being introduced and information being stolen). This causes a surge in the DNS traffic and DNS requests which is more than usual and, therefore, an indication of a DNS attack. A thorough traffic analysis and of DNS requests will bring forward these results.

Therefore, there are numerous ways for detecting DNS tunneling. Once detected, a DNS query response protocol can then be used through DNS resolver routes.

 DNS Tunneling Toolkits

Many DNS tunneling toolkits are DNS tunneling utilities made use of to carry out the attacks. These toolkits make it easier and simpler for the attackers to attack and access the affected server.

Iodine is one of the DNS tunneling program that allow the attacker to make use of all the IPv4 traffic. This way, all the customer’s computers can be connected, and all the ports can be easily used. This toolkit can be used through a TUN or TAP device and has high optimization and performance. The only cons for this are that drivers need to tunnel data, and there is no encryption of DNS tunneling exploits (tunneled data).

Heyoka is another DNS tunneling toolkit, which helps in performing DNS tunneling attack but can only be used through windows but is 60% faster than other toolkits. Heyoka creates a two-way or bidirectional tunnel so attackers can introduce cyber criminals and steal the malware and data simultaneously. This also helps in hiding the device tunneling the data from the firewall. The downside is no encryption for tunneled data, and it can only be made use of Windows OS, and instability.

How To Protect Against DNS Tunneling?

When the DNS servers were made, the internet was a safe space for its users therefore there weren’t many security in DNS protocol. But today, there is an increasing need for security while surfing or using the internet. Therefore there are many ways in which you can protect a DNS protocol against any possible DNS tunneling attack, such as;

  1. Install anti-virus and anti-malware software which can detect any issues in the DNS messages and resolve it before it can cause too much damage.
  2. Do not make use of servers that are known for data exfiltration.
  3. Make use of a DNS firewall that can search for DNS tunneling.
  4. Make use of softwares or tools that can distinguish between genuine and fake traffic. These tools (DNS monitoring utilities) can catch any unusual queries being made to the server and cease the connection.
  5. Make sure to check analytical checks on the server at regular intervals. These checks can show up any unusual activity like high DNS traffic volume in the DNS protocol.


The internet is no longer safe due to the increasing number of cybercrimes. Therefore, there is a need to learn about the different types of attacks and how to protect against them to prevent any issues.

DNS tunneling can cause issues to normal computer users and large companies and result in privacy, customer information, and monetary loss.

There have been new and innovative techniques to enhance the effect of DNS tunneling and keep the attack secret for as long as possible. As a result, firewalls are not safe enough to protect a server from such attacks.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent and Agentless

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.