DNS tunneling is the use of the DNS network protocols to encapsulate other protocols. Tunneling is a process in which the client encodes and sends requests and responses to a server that accepts DNS requests, which will translate or decode the DNS traffic and convert it to the target protocol. DNS tunneling can be used for command and control (“C2” or” C&C”) communication and as a functional equivalent of a Virtual Private Network.
DNS tunneling could be used for exfiltration and infiltration. Exfiltration and infiltration of information via the DNS has been separated into another section in order to address the different approaches in detection and prevention.
The monitoring infrastructure to detect DNS tunneling requires careful consideration. Detection can be challenging by just looking at the queries since DNS tunneling uses the DNS protocol. Without context, the use of DNS may appear to be a normal client sending DNS requests to a remote server, and receiving responses as normal. Use of encrypted DNS protocols such as DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) make detection more difficult.
The general approach for detecting DNS tunneling would be to look for suspicious behavior in patterns of network traffic. Such patterns include:
Connecting directly to the remote server and attempting to send a normal DNS request can help verify whether it is an actual DNS server or not. Incorrect responses may show that it is not being used for normal DNS operations.
There are many open tools for setting up VPN tunnels using DNS. Network defenders should consider this a commonly accessible capability. Some examples of packages that can perform DNS tunneling are:
Some network forensics data sources to gather evidence on these patterns for detection include:
CISA wrote a really good guide on implementing enterprise DNS in order to detect and block DNS tunneling. https://www.cisa.gov/sites/default/files/2024-05/Encrypted%20DNS%20Implementation%20Guidance_508c.pdf
An excellent and very thorough paper on detecting DNS tunneling is recommended here: https://www.giac.org/paper/gcia/1116/detecting-dns-tunneling/108367
A description of DNS Tunneling and how it can be abused: DNS Tunneling: how DNS can be (ab)used by malicious actors (paloaltonetworks.com)