eastbaycyber

What Is DNS Tunneling?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

DNS tunneling is a technique that uses the Domain Name System for purposes it was not intended for. Instead of only resolving names like example.com into IP addresses, the DNS channel is repurposed to transport information.

DNS tunneling is the abuse of DNS traffic to carry data, attacker commands, or other communications through a network that might block more obvious channels. Attackers use DNS tunneling because DNS is widely allowed across corporate networks, firewalls, and proxies, which makes it a useful covert path for command-and-control or data exfiltration.

In practice, the attacker hides information inside DNS queries or responses instead of using normal web traffic. For related background, see what is command and control and what is data exfiltration.

How DNS tunneling works

DNS tunneling usually appears after a host has already been compromised. It is more often a stealth or control technique than an initial access method.

The attacker compromises a host first

A workstation, server, or other endpoint is infected through some other path, such as:

  • Phishing
  • Malware execution
  • Stolen credentials
  • Exploitation of a vulnerable service

Once the attacker has code running on the device, that malware needs a way to communicate out. If direct HTTP, HTTPS, or custom outbound protocols are blocked or watched closely, DNS may be used as a fallback.

The attacker controls a domain and nameserver

To receive the tunneled traffic, the attacker typically registers a domain and operates the authoritative DNS infrastructure for it.

For example, malware on the victim host may generate DNS queries for subdomains under an attacker-controlled domain. Those subdomains are not random in the normal sense. They may contain encoded data.

A request might look like a strange series of labels under a domain the attacker controls. The attacker’s DNS server receives the query and extracts the embedded information.

Data is encoded into DNS requests and responses

DNS tunneling can be used in both directions:

  • Outbound: The compromised host sends encoded data inside DNS queries
  • Inbound: The attacker sends commands or payload fragments back in DNS responses

Because DNS has length limits and naming rules, tunneled data is often broken into smaller pieces and encoded in DNS-safe text. That makes DNS tunneling slower than normal network protocols, but attackers often accept the tradeoff because the goal is stealth and reach, not speed.

The traffic tries to blend in

DNS is normal network behavior, so attackers rely on the fact that many organizations do not inspect it deeply.

Suspicious patterns may include:

  • Very long subdomains
  • Random-looking character strings
  • Repeated requests to one unusual external domain
  • Frequent TXT record lookups
  • Consistent beaconing intervals
  • DNS request volumes that do not match normal endpoint behavior

Without DNS logging or analytics, those patterns can be easy to miss on a busy network.

The tunnel supports larger attack goals

DNS tunneling is usually not the end goal. It supports other attacker objectives, such as:

  • Maintaining command-and-control
  • Evading egress restrictions
  • Exfiltrating small but sensitive data
  • Keeping malware connected in tightly filtered environments
  • Bypassing assumptions that “web access is blocked, so outbound risk is low”

Common uses of DNS tunneling

Attackers and red teams typically use DNS tunneling for a few recurring reasons.

Command-and-control

Malware can beacon to attacker infrastructure over DNS, ask for instructions, and receive updates without relying on more obvious outbound channels.

Data exfiltration

DNS tunneling can carry stolen data out of the environment in small chunks. It is not efficient for large transfers, but it is viable for credentials, tokens, host details, or selected sensitive records.

Evasion of network controls

If an organization filters web traffic aggressively but allows broad DNS resolution, DNS may become the easiest outbound route for covert communications.

Persistence in restricted environments

In segmented or tightly monitored networks, DNS may remain one of the few universally permitted protocols. That makes it attractive as a backup channel.

When you are likely to encounter DNS tunneling

You are most likely to encounter DNS tunneling in:

  • Incident response investigations
  • Threat hunting
  • SOC monitoring and detection engineering
  • Egress filtering reviews
  • Red team exercises
  • Network security assessments

Common real-world scenarios include:

  • A compromised endpoint repeatedly querying a strange external domain
  • Unusually large volumes of TXT record requests
  • High-entropy subdomains appearing in DNS logs
  • Malware families known to use DNS for C2
  • Concerns that data may be leaving a network despite web restrictions

For small and midsize organizations, the biggest challenge is often visibility. Many rely on default DNS resolution through endpoints, consumer-grade edge devices, or unmanaged cloud settings without centralized DNS logs. That can make malicious DNS behavior harder to detect until another signal, such as EDR or firewall telemetry, draws attention to it.

How defenders detect DNS tunneling

Defenders usually look for DNS tunneling through a combination of network visibility and behavioral analysis.

DNS logging and analytics

Centralized DNS logs help analysts spot:

  • Repeated lookups to rare domains
  • High request frequency from a single host
  • Long or encoded-looking query strings
  • Unusual record types
  • Beaconing patterns over time

Endpoint and network correlation

DNS anomalies are more useful when correlated with other signs, such as:

  • Suspicious processes on the endpoint
  • Unexpected outbound connections
  • Malware alerts
  • Evidence of credential theft or lateral movement

If you are comparing endpoint protection options for detecting suspicious malware behavior on user devices, tools like Get Malwarebytes → can be a practical layer for smaller teams, though DNS monitoring still needs network-side visibility.

Restricting DNS paths

Many organizations reduce risk by:

  • Forcing endpoints to use approved internal resolvers
  • Blocking direct DNS to the internet
  • Filtering suspicious domains
  • Monitoring high-risk record types
  • Limiting which systems can make outbound DNS requests

Strong admin hygiene

Attackers often need a foothold before DNS tunneling matters. Reducing initial compromise risk with unique credentials stored in a password manager like Try 1Password → can help cut off one of the common starting points.

DNS

DNS is the system that translates domain names into IP addresses. DNS tunneling abuses that expected service for covert communications.

Command and control

Command and control is the channel attackers use to communicate with compromised systems. DNS tunneling is one possible C2 method.

Data exfiltration

Data exfiltration is the unauthorized removal of data from an environment. DNS tunneling can be used as a slow but stealthy exfiltration path.

Beaconing

Beaconing is the periodic check-in behavior of compromised systems. DNS-based beaconing is a common sign of tunneling or malware communication.

Egress filtering

Egress filtering controls what traffic is allowed to leave a network. DNS tunneling matters because DNS is often allowed more freely than it should be.

Final takeaway

DNS tunneling is the abuse of DNS queries and responses to move data or attacker communications through networks that might block other outbound traffic. It is valuable to attackers because DNS is essential, common, and often less scrutinized than web traffic.

The main lesson for defenders is straightforward: if DNS is allowed but not monitored, it can become a covert channel for command-and-control or data exfiltration. Strong DNS visibility, controlled resolver paths, and endpoint monitoring make that path much harder to use quietly.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.