Hackers Use DNS Queries to Evade Defenses and Exfiltrate Data

Cybercriminals are increasingly exploiting the Domain Name System (DNS) to bypass corporate security measures and steal sensitive data, according to new research from cybersecurity experts.

This sophisticated technique, known as DNS tunneling, transforms the internet’s essential “phonebook” into a covert communication channel for malicious activities.

DNS tunneling involves encoding data within DNS queries and responses, creating an invisible pathway between attackers and compromised systems.

Because DNS traffic routinely passes through corporate firewalls with minimal inspection, this method allows cybercriminals to conduct command-and-control (C2) operations and data exfiltration while remaining largely undetected, as per a report by Infoblox.

The attack process begins when threat actors gain control of a domain name’s authoritative name server.

Malware installed on victim systems then performs periodic lookups of the controlled domain, receiving encoded instructions through DNS responses.

These communications can trigger various malicious actions, from directory listings to file deletions, all while appearing as legitimate DNS traffic.

“The malware uses the DNS system, so there is no direct traffic between the malware client and the C2 server,” explained cybersecurity researchers.

Instead, communications flow through the victim’s recursive name server, which typically has permissive rules allowing internet connectivity.

Attackers can exploit various DNS record types for their operations, including A records (IPv4 addresses), AAAA records (IPv6 addresses), TXT records (free-form text), and CNAME records (canonical domain names).

For example, a subdomain query might contain encoded credentials like “username: andy, password: 123xyzabc,” while the server’s TXT record response could instruct the malware to execute dangerous commands such as “sudo rm /etc/shadow.”

This popular penetration testing tool, frequently misused by threat actors, uses hex-encoded queries with customizable prefixes and performs beaconing using A records while conducting C2 operations through TXT records.

Other notable DNS tunneling families include DNSCat2, a lightweight tool for creating encrypted DNS tunnels; DNS Exfiltrator, which demonstrates proof-of-concept data exfiltration; and Sliver, a cross-platform C2 framework.

Additional tools like Iodine, Pupy, and Weasel each employ unique signatures and communication patterns.

Organizations are implementing enhanced DNS security measures, including monitoring for unusual subdomain patterns, analyzing query frequency, and deploying specialized threat detection systems.

The challenge lies in balancing security with functionality, as overly aggressive blocking could disrupt legitimate DNS operations.

The growing prevalence of DNS tunneling underscores the critical importance of securing all network protocols, not just obvious attack vectors, as cybercriminals increasingly exploit fundamental internet infrastructure for malicious purposes.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now