Yes, and most firewalls won’t stop it. DNS tunneling encodes stolen data inside legitimate-looking DNS lookup requests, which nearly every network allows outbound by default. Because DNS is a trusted protocol, security teams rarely inspect it for exfiltration, making it one of the most reliable covert channels active threat actors use today.
Pithy Security | Cybersecurity FAQs – The Details
Question: Can attackers exfiltrate data through DNS queries, and why does DNS tunneling bypass most enterprise firewalls?
Asked by: Perplexity AI
Answered by: Mike D (MrComputerScience) from Pithy Security.
How DNS Tunneling Actually Encodes and Moves Stolen Data
DNS was designed in 1983 to translate domain names into IP addresses. It was never designed to be inspected for payload content. Attackers exploit that assumption directly.
In a DNS tunneling attack, malware on a compromised host encodes stolen data, credentials, files, keystrokes, into the subdomain portion of a DNS query. A lookup for a3f92bc1d.exfil.attacker.com is not looking up a real host. It is transmitting a 32-character encoded data chunk to an attacker-controlled authoritative DNS server that logs every query it receives.
The attacker controls the receiving DNS server, so every query that resolves gets decoded and reassembled on their end. Tools like Iodine, DNScat2, and custom implants used by groups like APT32 and Cobalt Strike operators have made this technique widely available, not just theoretical.
Transfer speeds are slow, typically 1-3 KB/s, but for credential dumps, SSH keys, or configuration files, slow is fast enough.
Why Enterprise Firewalls and DLP Tools Miss DNS Exfiltration
Most enterprise firewalls are configured to block unauthorized outbound connections on ports 80 and 443. DNS on UDP port 53 is almost always open, because breaking DNS breaks everything.
Next-gen firewalls from Palo Alto Networks and Fortinet can inspect DNS traffic, but this feature is frequently not enabled by default and requires tuning to avoid false positives on legitimate CDN and cloud provider subdomains, which also use long, encoded-looking strings. Security teams deprioritize it.
Data Loss Prevention tools fare worse. DLP typically monitors file transfers, email attachments, and HTTP/S uploads. It does not parse DNS query subdomains for encoded content. The exfiltration never registers as a file leaving the network.
CISA has documented DNS tunneling as an active technique in multiple advisories, including its guidance on detecting APT activity on federal networks, but enterprise adoption of DNS monitoring remains inconsistent.
When DNS Monitoring Actually Catches Tunneling in Time
Behavioral DNS analytics can catch tunneling, but only if you are running them. The signatures are detectable: abnormally high query volume to a single domain, unusually long subdomain strings (legitimate queries rarely exceed 30-40 characters), high entropy in subdomain labels, and queries to newly registered domains.
Tools like Cisco Umbrella, Palo Alto DNS Security, and open-source options like Zeek with DNS scripts can flag these patterns. MITRE ATT&CK catalogs DNS tunneling under T1071.004 with detection guidance tied directly to these behavioral indicators.
The gap is not tooling. Most organizations that get breached via DNS tunneling had the data in their DNS logs the entire time. They just were not looking at it.
What This Means For You
- Enable DNS query logging on your recursive resolvers immediately and pipe those logs into your SIEM, because exfiltration evidence sits in DNS logs that most teams never review.
- Audit your firewall ruleset to confirm DNS inspection is active and not just licensed: Palo Alto, Fortinet, and Check Point all require explicit policy enablement, not just the subscription.
- Set a query length alert for any subdomain string exceeding 50 characters to a non-whitelisted domain, since legitimate traffic almost never generates strings that long.
- Review MITRE ATT&CK T1071.004 and map your current detection coverage against the listed data sources before assuming your DLP or EDR handles this threat vector.