DNS Tunneling: What it is, red flags to spot, and how to block it fast

DNS Tunneling

What it is

DNS tunneling turns the internet’s phone book (DNS) into a secret tunnel for data. Because DNS lookups are trusted and often allowed out of networks, attackers hide commands or stolen info inside DNS requests and replies to sneak past firewalls. Learn more in our 
DNS tunneling explainer

How it works 

  • Malware on a device chops data into tiny chunks and encodes it in subdomains.

  • Your resolver forwards those lookups to the attacker’s authoritative DNS server.

  • The attacker decodes the data from the queries or sends back instructions in DNS answers.

  • Result: command-and-control and data exfiltration that looks like normal DNS traffic.

What you might notice

  • Lots of very long or random-looking domains (gibberish labels).

  • Unusual spikes in TXT record queries or NXDOMAIN responses.

  • Constant DNS traffic to a single strange domain or newly registered zones.

  • Endpoints making DNS queries at odd hours with steady, periodic bursts.

If you suspect it 

  1. Block the suspicious domain/NS at DNS and firewall; capture samples.

  2. Isolate affected hosts and run a full malware/EDR sweep.

  3. From a clean admin box, rotate credentials and tokens used on that host.

  4. Review logs to scope what left and who else is talking to the same domain.

Prevent it

  • Use a DNS filter/firewall with tunneling detections (length, entropy, TXT/NXDOMAIN heuristics).

  • Egress control: only allow DNS to approved resolvers; block outbound 53/853 elsewhere.

  • Turn on DoH/DoT to your resolver; log queries centrally and alert on anomalies.

  • Segment networks and least-privilege access so one host isn’t a gateway to all data.

  • Keep endpoints patched and monitored (EDR) to stop the malware that starts the tunnel.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...

      • DNS Firewall

        Why it matters Most attacks start with a click or a background connection. Stopping bad domains at the DNS layer cuts off malware downloads, phishing pages, and command-and-control beacons without slowing users or changing their workflow. How it ...

      • Data Breach Prevention

        Why it matters Breaches drain money, trust, and time. Strong basics turn scary “what ifs” into non-events: a phish gets ignored, a stolen password is useless, a lost laptop holds only encrypted gibberish. The short, smart checklist MFA everywhere: ...