What is DNS tunneling
DNS tunneling encodes data inside DNS queries to bypass firewalls — used for C2 traffic and exfiltration. Dns Tunneling sits close to the public DNS layer that resolvers, browsers, inbox providers, and attackers all see. That makes configuration quality and change control just as important as the underlying standard itself.
If you are already working through Cache Poisoning, this topic gives you the missing layer between the raw signal and the decision you have to make. For a live check, start with the CyberFurl public security report and then use the See the DNS posture feature page to see where it fits in the wider CyberFurl workflow.
Why DNS is abused (rarely blocked)
DNS is attractive to attackers because it is one of the few protocols many environments still allow almost everywhere. If defenders are not watching query patterns closely, DNS can become a covert path for command traffic or data movement without looking like classic malware egress.
Common tools (iodine, dnscat2, DNSExfiltrator)
Well-known tunneling tools show how mature the technique already is. They encode data into labels, queries, or response patterns and rely on the fact that many networks still treat DNS as trusted background traffic.
Real-world cases (DarkHydrus, OilRig)
Campaigns linked to espionage and long-dwell intrusion sets keep returning to DNS tunneling because the channel is flexible and blends into necessary infrastructure. The pattern matters more than the campaign names: attackers use whatever trusted channel defenders monitor the least.