DNSSecurity

Is your DNS being held hostage?

In the second of this three-part series on DNS as a naïve enabler in malicious cyber activity, we introduce persona No. 2, DNS as a hostage.

Last updated: September 15, 2025

An avatar of the author
Jodi Schechter
Instructor at whiteboard explaining a long DNS hostname string in a lesson on DNS being used as a hostage in cyber attacks
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

This article explains DNS tunneling as a method attackers use to take DNS “hostage,” routing private data and commands through DNS queries to bypass firewalls and monitoring. It describes tunneling conceptually as VPN-over-DNS where malware or compromised endpoints create a client-server channel for command-and-control and data exfiltration, exploiting the fact that DNS often isn’t monitored. The piece outlines operational indicators—unusually long/unique hostnames, frequent/text-record queries, high request volumes, many hostnames per domain, and unexpected geographic traffic—that organizations can use to detect and stop DNS being abused.

What is DNS tunneling and why is it used by attackers?

DNS tunneling is a technique that encapsulates private data within DNS queries and responses to create a covert communication channel between a client (often malware) and a server. Attackers use it because DNS traffic is routinely allowed through firewalls and often not closely monitored, enabling command-and-control or data exfiltration without raising immediate suspicion. Conceptually similar to a VPN-over-DNS, tunneling moves packets across public networks while making them appear as normal DNS traffic, allowing malicious messages to pass unnoticed.

What query and traffic patterns indicate DNS might be "held hostage" by tunneling?

Indicators include unusually long labels or hostnames and long strings of unique characters in subdomains where attackers pack data into host records. Frequent queries that differ slightly from one another (series of unique requests), use of TXT record queries which are atypical for common clients, and regular beaconing-like intervals (for example, queries every minute) are strong signs. Traffic analysis revealing high DNS volume, many hostnames associated with a single domain, repetitive request/response pairs over time, and spikes in traffic to geographic regions where you don’t normally operate are additional telltale patterns.

How can organizations detect and respond when DNS is being abused for tunneling?

Detection relies on monitoring DNS query characteristics and traffic patterns: inspect for long or highly variable subdomain strings, unusual use of TXT records, high counts and frequencies of requests, many hostnames per domain, and unexpected geographic destinations. Analyze temporal patterns for beaconing behavior and track domain history and volume trends. Once identified, organizations should treat these clues as indicators of tunneling activity and take action to stop it—by blocking malicious domains, tightening DNS monitoring and logging, enforcing least-privilege DNS egress policies, and investigating infected endpoints to disrupt the client-server channel used by attackers.

In the second of this three-part series on DNS as a naïve enabler in malicious cyber activity, we introduce persona No. 2, DNS as a hostage. As a hostage, DNS is recruited as a naïve messenger to route private information over the internet.

The best example of DNS used as a hostage is tunneling. Because DNS is often not monitored, bad actors rely on this to their advantage. As a result, tunneling techniques do not have to be particularly stealthy to leverage DNS. Conceptually, tunneling is like VPN over DNS – a way to tunnel directly through DNS, bypassing firewalls.

First, a short definition of tunneling

According to Techopedia, tunneling moves packets of data across a public network in a way that makes them appear as public information, when in fact they are private. Secure movement allows them to pass through the network unnoticed via a process called encapsulation.

DNS tunneling creates a communication pathway between a client (often malware) and a server to send multiple types of messages back and forth. Two common threats of DNS tunneling are command and control of compromised endpoints and data exfiltration.

Detecting tunneling

How do you know your DNS has been taken hostage and how can tunneling be detected?

Clues lie in the queries themselves where different patterns are often the giveaway.

There is generally a domain and subdomain evident – then an attempt to put as much data into that host record as possible. Querying for text records, which are not commonly used by a typical client, may be helpful in identifying activity that is attempting to take your DNS hostage.

Important to note is that in tunneling, patterns that include of a series of queries – each different from the next – are common. Each one is unique in order to increase the chances of getting through. These records can be identified by their long string of unique characters, long labels and long hostnames.

BlueCat

Some may be perfectly valid, using DNS as a mechanism to send messages back and forth; but generally, this is a tip-off that tunneling is underway.

Other patterns are also telling. For example, traffic analysis of the count and frequency of requests.

Patterns that indicate tunneling invariably disclose multiple requests and response pairs over time. Finally, after many, many attempts, a DNS server may respond with a command to execute.

Are queries being sent every minute? This might be a sign of beaconing – bad actors using a network’s self-notification repair strategy for their own mischievous intent.

Traffic analysis also reveals helpful information like volume of DNS traffic, number of hostnames per domain, and domain history. Geographic considerations are another clue. Large amounts of DNS traffic to parts of the world where you don‘t usually do business may also be a tunneling indicator.

Because DNS is not intended for data transfer, it can easily be taken hostage and used as a pathway for malicious communication – and if undetected, can pose significant risk to your enterprise. There are solid clues to follow to determine if your DNS is being held hostage.

The key is to stop it.

Published in:

DNSSecurity

Published on: October 16, 2017

An avatar of the author

Growth by Content is what I do. I’m fuelled by conversations, coffee and sarcasm.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more