DNS Tunneling Programs


There are a number of different utilities for DNS tunneling.


DeNiSe is a proof-of-concept for tunneling TCP over DNS in Python. The Github page for DeNiSe has six Python scripts from 2002 to 2006.


The dns2tcp developed by Olivier Dembour Nicolas Collignon. Is written in C and runs under Linux. The client also runs under Windows. It supports KEY and TXT request types.


DNScapy was developed by Pierre Bienaime. It uses Scapy for “packet generation”. DNScapy supports SSH tunneling over DNS including a socks proxy. It can be configured to use CNAME and TXT records randomly.

DNScat (DNScat-P)

DNScat (DNScat-P) was originally released in 2004. It was developed by Tadeusz Pietraszek. DNScat is considered a “Swiss Army Knife” with many uses and bidirectional communication through DNS. DNScat is Java-based and runs on Unix-like systems. It supports “A” records and “CNAME” requests. Since there are two utilities called DNScat, this one will be referred to as DNScat-P in this text to distinguish it from the other.

DNScat (DNScat-B)

Scat (DNScat-B) was written by Ron Bowes. The earliest known public release was in 2010, and it runs on Linux, Mac OS X, and Windows. Scat encodes queries in either NetBIOS encoding or hex encoding. Scat can use A, AAAA, CNAME, NS, TXT, and MX records. In addition, it provides a datagram and stream mode. There is also a DNScat-B based Metasploit payload.


Heyoka is a proof-of-concept that sets up a bidirectional tunnel for data eifiltration. This tool is written in C and runs on Windows. It uses binary data instead of 32 or 64bit encoded data to increase bandwidth. It also uses EDNS to allow DNS messages that exceed the 512 bytes mark. Heyoka makes use of source spoofing to make it appear that requests are distributed across multiple IP addresses.


Iodine is a DNS tunneling program first released in 2006. Iodine is written in C and runs on Linux, Mac OS X, Windows, and other operating systems. Iodine can additionally be deployed on Android. It uses a Tun or Tap interface on the endpoint.


NSTX (Nameserver Transfer Protocol) was released in 2000. It runs only on Linux. NSTX makes it possible to create IP tunnels using DNS (NSTX, 2002). It tunnels traffic through either a tunnel or a tap interface on ednpoints.


OzymanDNS was written by Dan Kaminsky in 2004. It is used to establish an SSH tunnel over DNS or to transfer files. The requests are base32 encoded and the responses are base64 encoded TXT records.


Psudp was developed by Kenton Born. It injects data into pre-existing DNS queries by modifying the IP/UDP lengths. This requires that all hosts participating in the covert network send their DNS queries to a broker service that collects messages for a particular host until a DNS query comes from that host. The message can then be sent in response.


Squeeza is an SQL injection tool. It shares the command channel and the data exfiltration channel. The command channel can be used to create data in a database and execute other commands. It supports three data exfiltration channels: http error, timing and DNS. For the DNS channel, the data is encoded in the Fully Qualified Domain Name (FQDN).


Tcp-overdns was released in 2008. It has a Java-based server and a Java-based client. It runs on Windows, Linux, and Solaris. It supports LZMA compression and both TCP and UDP traffic tunneling.


TUNS was developed by Lucas Nussbaum. TUNS is written in Ruby. It uses only CNAME records. It sets MTU to 140 characters to match the data in a DNS query. TUNS is more difficult to detect, but comes with a higher performance cost.

Malware using DNS

DNS is used by malware as a communication method. Known malware using DNS include Feederbot and Moto. Both use DNS TXT records for control and monitoring.