Simple terms: DNS tunneling is a type of attack exploiting the Trojan horse concept where hackers embed malicious code or programs into a message that appears to be a normal request. So changing the appearance of a URL or thumbnail or whatever it may be to appear to be something that it isn’t to provide access to thingys.

DNS is one of the fundamental protocols of the Internet. It provides conversions between domain names and IP addresses. It is organized as a hierarchical system with servers for different subdomains. A visitor to the site checkpoint.com would ask a .com DNS server for the IP address of the checkpoint.com DNS server. A second request to this DNS server would then provide the IP address of the server hosting the desired webpage. The user is now able to visit their desired site. Without the lookup services that it provides, it would be nearly impossible to find anything on the Internet. To visit a website, you would need to know the exact IP address of the server that is hosting it, which is impossible. As a result, DNS traffic is some of the most trusted traffic on the Internet. Organizations allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.

DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.

DNS tunneling attacks are simple to perform, and numerous DNS tunneling toolkits exist. This makes it possible for even unsophisticated attackers to use this technique to sneak data past an organization’s network security solutions.