Detection of DNS Tunnels


Many of the DNS tunneling programs try not to attack. They rely on the fact that DNS is often not monitored. There are several DNS tunnel detection techniques that are discussed as two separate categories in this text (the payload analysis and the traffic analysis). For payload analysis, the DNS payload is analyzed for requests and responses to tunnel indicators. For traffic analysis, traffic over time is analyzed. The number frequency and other request attributes are taken into consideration.

Payload analysis (Payload analysis)

Domain Generation Algorithms (DGA) are used for payload analysis detection techniques. DGA-generated domains are abnormal in a similar way to names from data encoding.

Scope of Request and Response

One technique is to analyze the size of the request and response. This is used to identify suspicious DNS tunneling traffic based on the ratio of source and destination bytes. DNS data residing in a MySQL database as part of a Snort/Squil intrusion detection system is queried for source and destination bytes. The ratio is then compared to a threshold value.

It is also possible to use the length of DNS queries and responses to detect tunneling. DNS tunneling utilities usually try to pack as much data into queries and responses as possible. Therefore, tunneling queries are likely to have long labels of up to 63 characters and long total names of up to 255 characters. Another recommendation is to check all hostname requests that exceed 52 characters in length.

Entropy of hostnames

DNS tunnels can be detected by the entropy of the requested hostnames. Legitimate DNS names often have dictionary words or other meaningful names. Encrypted names have higher entropy and more even use of the character set. Although there are exceptions, such as when DNS names are used to represent some type of information. This is sometimes the case with delivery network content. Searching for DNS names that have high entropy can be an indicator of tunneling.

Statistical analysis

Looking at the specific character structure of DNS names is another method that can be used to detect tunneling. Legitimate DNS names usually have only a few digits, while encrypted names usually contain many digits. This looks at the percentage of numeric characters in domain names. Looking at the length of the longest meaningful substring (LMS) and the number of unique characters is another method. It is recommended to be cautious about any request with more than 27 unique characters. Given that legitimate domain names reflect common languages to some extent, the use of character frequency analysis could also be used to identify names. This can look at repeated consonants to detect DNS tunneling. Thus, a tunneling program can create domains with consecutive consonants and numbers that is indistinguishable from an original by a cursory glance.

Unusual record types

Searching for records that are not commonly used by a typical customer, e.g. “TXT” records is another possible detection method.

Policy Violation

If a policy specifies that all DNS look-ups go through an internal DNS server, violations of that policy could be used as a detection method. To do this, one must monitor the traffic of DNS queries directly to the Internet. However, it is important to note that most DNS tunneling tools are designed to work even when requests are routed through an internal DNS.

Specific signatures

In some cases, researchers have provided signatures for specific DNS tunneling tools. A signature can be used to check specific attributes in a DNS header and to check for specific content in the payload database. For example, a Snort signature has been developed to detect NSTX DNS tunneling.

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: “Potential NSTX DNS Tunneling”; content:”|01 00|”; offset:2; within:4; content: “cT”; offset:12; depth:3; content:”|00 10 00 01|”; within:255; classtype:badunknown; sid:1000 2;)

Traffic analysis (traffic analysis)

Traffic analysis looks at multiple request/response pairs over time. The volume and frequency of the requests can give an indication of existing tunneling.

Volume of DNS traffic per IP address

A basic and straightforward method is to look at the volume of DNS traffic generated by a specific client IP address. Since tunneled data is typically limited to 512 bytes per request, a large number for requests is necessary to conduct communication. When the client queries the server, it will continuously send requests to the server.

Volume of DNS traffic per domain

Another basic method is to look at large volumes of traffic coming into a particular domain name. All DNS tunneling tools are set up to tunnel data using a specific domain name, so all tunneled traffic is to that domain name. We should consider the possibility that DNS tunneling could be configured with multiple domain names, reducing the amount of traffic per domain.

Number of hostnames per domain

One indicator can be the number of hostnames for a given domain. DNS tunneling tools request a unique hostname for each request. This can result in a much larger number than a typical legitimate domain name possesses.

Geographic location of the DNS server

Geographic considerations are another factor that could be used. Here, you should pay particular attention to large amounts of DNS traffic to parts of the world where you do not conduct business. For companies that do not have a broad international presence, this method could be useful.

Domain History

Domain history can also be used to detect suspicious DNS traffic. This involves checking when an “A” record or “NS” record was added. This method has been used to detect domain names that have been involved in malicious activity. It is also relevant for detecting DNS tunneling. For example, recently added “NS” records can be used to detect that a domain may have been acquired for tunneling purposes.

Volume of NXDomain Responses

Searching for excessive NXDomain responses can be used for detecting DGA-generated names. This method could be useful for detecting Heyoka, which can generate large volumes of NXDomain responses.


Using visualization, DNS tunnels can be detected, but this method requires the interactive work of an analyst. However, with the help of this method, tunneled traffic stands out dramatically.

Orphan DNS queries

While most detection methods look at what we can see, another approach is to look at what we expect to see without it having arrived yet. Computations involve executing one DNS request at a time, such as a web page request over http. Another detection method is to look for DNS requests that do not have a corresponding request by an application like http. There will be exceptions to this, but they can be easily filtered out. Security devices can perform reverse lookups of IP addresses. Anti-spam solutions use DNS queries to check if a particular IP address is blacklisted. An endpoint security product uses DNS queries with an encrypted file hash anchored to the FQDN to check for suspicious files.