> [!Info] > This page is currently a work in progress. ### DNS tunnelling - [[DNS]] tunnelling is when DNS queries are used to communicate with an attackers C2 server. - As it is DNS traffic, it often can bypass firewalls. - Due to queries sent to recursive DNS resolvers, makes it harder to trace traffic. #### C2 DNS tunnelling - Attacker compromises a host with malware. - Attacker has registered a bad domain (i.e. `bad-domain.com`) and uses it to route malicious traffic through. - Attacker sends an encoded command from compromised host as part of the DNS request, i.e. `<encoded_bad_request>.bad-domain.com`. - Attacker owned domain server receives query - *Example:* [[Cobalt-Strike|Cobalt Strike]] is an example of a tool that can be used to perform tunnelling as it can encode and decode the DNS data in the packets. #### Data Exfiltration via DNS tunnel - Attacker compromises a host with malware. - Attacker has registered a bad domain (i.e. `bad-domain.com`) and uses it to route malicious traffic through. - Attacker discovers sensitive data they want to exfiltrate. - Encodes that data and sends it as part of the subdomain, i.e. `<encoded_data_for_exfil>.bad-domain.com`.