Firewalls rarely block outbound DNS (Port 53). Attackers exploit this by encoding stolen data into the subdomains of DNS queries (e.g., base64_data.evil.com). The victim's DNS resolver forwards the query to the attacker's authoritative server, completing the exfiltration.
Tools like dnscat2 or iodine establish a bidirectional C2 channel over DNS. The attacker controls the authoritative nameserver for evil.com, allowing them to send commands back to the compromised host via DNS TXT records.
💡 Pro-tip: Monitor the 'Question Name Length' and 'Entropy' in your DNS logs. Legitimate domains are short and readable; tunneled data appears as long, high-entropy, random strings.
This output reveals a 78-character subdomain with high entropy, a definitive indicator that data is being base64-encoded and tunneled out via DNS.
Prevent tunneling by forcing all internal hosts to use designated internal DNS resolvers, and blocking direct outbound Port 53 at the edge firewall. Deploy DNS security solutions (like Cisco Umbrella) that inspect query payloads.
⚠️ Blocking outbound DNS entirely will break the internet for users. You must allow DNS only to trusted, inspecting recursive resolvers that can apply RPZ (Response Policy Zones) to sinkhole malicious domains.
| Indicator | Normal | Tunneling |
|---|---|---|
| Query Length | < 30 chars | 50+ chars |
| Entropy | Low (Words) | High (Random/Base64) |
| Frequency | Sporadic | Constant / Rhythmic |
Verify exercises to earn ★ 240 XP and unlock next lab level.