Modern cyber threats are increasingly stealthy. A favorite tactic? DNS tunneling—a method used to bypass traditional network security controls by hiding malicious traffic inside DNS queries and responses. This can be done by embedding or encoding command and control instructions or data within subdomains or DNS record fields like TXT, CNAME or other rarely used record types.
Here’s how it works:
DNS (Domain Name System) is used to translate domain names like example.com into IP addresses. Because DNS is a critical service, it is universally allowed through firewalls and network filters with limited to no protective inspection. Attackers exploit this trusted communication protocol by encoding malicious data inside DNS traffic, essentially creating a secret subversive channel—a “tunnel”—within the world-wide network of trusted DNS servers.
Why it’s dangerous:
- It can be used for data infiltration and exfiltration – attackers deliver malware or steal sensitive information by encoding it into DNS requests.
- It enables command-and-control (C2) communication – malware can receive instructions from an attacker using DNS responses.
- It often goes undetected, because it uses a legitimate protocol (DNS) that rarely gets deeply inspected.
Real-world examples:
An unknowing user or a malware-infected device may make a request to newbadguy.com. A typical DNS service will dutifully look up the domain by contacting the authoritative DNS server—no questions asked. The attacker’s malicious server responds as if it’s legitimate, and that response is then relayed through the DNS service back to the user or malware, but it’s actually tunneling malicious payloads through that trusted DNS channel.
Malicious threat actors and campaigns—including SUNBURST, OilRig, xHunt, and DarkHydrus—have used DNS tunneling as a covert communication method. One of the most well-known examples of DNS tunneling being used in the wild is the SUNBURST backdoor, which was part of the SolarWinds supply chain attack in 2020. After infecting victim machines, SUNBURST used DNS queries to stealthily transmit encoded data—like unique identifiers and host information—to attacker-controlled domains. These queries mimicked normal DNS traffic, making detection difficult. The responses, typically served via TXT records, acted as the attacker’s covert command channel.
Why CleanINTERNET® DNS matters:
Traditional DNS resolvers just answer queries—they don’t inspect whether the server you’re talking to is bad or the queries you’re making have malicious content. And, most enterprises can’t block DNS traffic outright without breaking their networks. Adversaries know this, and they exploit it by setting up malicious DNS servers that appear legitimate, using the public DNS infrastructure to quietly move data in and out of the environment.
CleanINTERNET DNS inspects and blocks DNS tunneling attempts using real-time Cyber Threat Intelligence, stopping threats even when they hide inside “legitimate” DNS traffic.
This is where CleanINTERNET® DNS changes the game.
Unlike generic DNS resolvers, CleanINTERNET DNS uses real-time Cyber Threat Intelligence to evaluate every DNS request. When a request hits our platform, we assess not just the domain name and other DNS fields but also the behavior and reputation of the authoritative DNS servers involved. If the authoritative DNS server is known to be malicious—or if it’s exhibiting suspicious behavior—we block the resolution before the threat can communicate or any data is sent to potentially malicious DNS servers.
By analyzing DNS requests and evaluating potentially bad recursors, CleanINTERNET DNS uses threat intelligence to prevent DNS tunneling—even when attackers are using otherwise trusted DNS infrastructure.
The result? Enterprises get more than just protection from known malicious domains—they gain active defense against advanced DNS tunneling attacks that traditional DNS services often overlook. CleanINTERNET DNS detects and blocks covert tunneling, stopping data theft and command-and-control communications before they can do damage.
