The easiest way to think of DNS is like a phone book. It contains phone numbers(ip addresses) corresponding to the person it belongs to(domains/websites). When you navigate to a website your computer does a phone book look up to know who to call. Attackers make their traffic look like a phone book lookup but it actually contains a coded message that they are sneaking out.

It can be used for several things such as exfiltrating sensitive data or even communicating with another computer. Because all computers use DNS it can be difficult to spot the malicious traffic.

One method to detect/prevent DNS tunneling is to only allow outbound DNS to your trusted phonebooks and then either block or alert when a computer tries to use a different one.