Skip to content
Log in

DNS tunnelling

Definition

Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks other protocols. Indicators include unusually long domain names, high-entropy subdomains, and query volumes far above what name resolution alone would generate.

Related terms

A record
A DNS resource record that maps a domain name to an IPv4 address. The primary attribution record in most investigations. An AAAA...
Beaconing
Periodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured in...
Covert channel
Any communication path that was not intended by the system designer and that bypasses access-control or monitoring policies. Network covert channels are...
Domain generation algorithm (DGA)
Code embedded in malware that produces a large set of pseudo-random domain names on a scheduled basis. The malware tries each until...
Entropy analysis
A statistical technique that measures the randomness of data in a field or stream. Protocol fields that should contain low-entropy predictable values...
Fast-flux
An evasion technique in which a domain's A records cycle through a large pool of IP addresses with very short TTL values....
Network flow (NetFlow/IPFIX)
A summary record of a network conversation, storing source IP, destination IP, source port, destination port, protocol, byte count, and timestamps, without...
Packet capture (PCAP)
The interception and recording of network packets as they traverse an interface. The raw data is stored in PCAP format and analysed...
Passive DNS
A historical database of DNS resolutions collected by sensors at recursive resolvers or network taps. Passive DNS shows which IP addresses a...
Port number
A 16-bit integer in the TCP or UDP header that identifies the application-layer service at each endpoint. Well-known ports are assigned by...
Protocol anomaly detection
A detection method that compares observed network traffic against the formal specification of each protocol (its RFC or standard) and flags fields...
Storage channel
A covert channel that encodes information in the value of a protocol field, such as the IP Identification field or a DNS...

Explained in these topics

  • DNS and Domain InvestigationA technique that encodes data inside DNS query strings or TXT/CNAME response records to carry non-DNS traffic through firewalls that permit DNS. Used for data...
  • Network Protocols and Traffic InterpretationEncoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks oth...
  • Network Steganography and Covert ChannelsA technique that encodes arbitrary data inside DNS query and response labels, using an attacker-controlled authoritative server to relay the covert communicati...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account