LabEx
Log InJoin Free

How to detect data exfiltration using DNS?

QuestionsQuestions8 SkillsProDec, 19 2025
0190

Detecting data exfiltration via DNS (often called DNS Tunneling) is a critical skill because DNS traffic is frequently overlooked by firewalls.

When an attacker exfiltrates data via DNS, they aren't "visiting" a website; they are sending encoded data (like a stolen password or file bit) as a subdomain to a server they control.

Here is how you detect this in Wireshark:

1. Look for Unusually Long Queries

Normal DNS queries are short (e.g., google.com). Exfiltration queries contain chunks of data, making them very long.

  • Filter: dns.qry.name.len > 50
  • What to look for: Look for long, gibberish strings like a1b2c3d4e5f6g7h8.attacker-domain.com.

2. Look for High Frequency (Volume)

Since DNS packets are small, an attacker must send hundreds or thousands of queries to move a single file.

  • Method: Go to Statistics > DNS.
  • What to look for: An unusually high number of requests to a single, unknown domain. If one internal IP is sending 5,000 requests in 10 minutes to a weird domain, that’s a huge red flag.

3. Identify Unusual Resource Record (RR) Types

Attackers often use specific DNS record types to carry more data:

  • TXT Records: These can hold up to 255 characters of arbitrary text.
    • Filter: dns.qry.type == 16 (16 is the code for TXT)
  • NULL Records: Rarely used in normal traffic, but great for hiding data.
    • Filter: dns.qry.type == 10

4. Check for Entropy (Randomness)

Normal domain names use dictionary words or standard abbreviations. Exfiltrated data is often Base64 encoded or encrypted.

  • Visual Check: Apply the filter dns.
  • Check: Look at the "Queries" column. If you see strings like ORZGC43VMJWXG2L.site.com, MZXW6YTBOI.site.com, and BIWS43TP.site.com all going to the same domain, each one is likely a "piece" of a stolen file.

Summary Checklist for Hunting DNS Exfiltration:

  1. Search for long domains: dns.qry.name.len > 30
  2. Filter for "Data-Heavy" records: dns.qry.type == TXT or dns.qry.type == NULL
  3. Check Volume: Look for a "spike" in the DNS traffic graph (Statistics > IO Graph).

Try this in the lab:
If you have a capture file, apply dns and look for any destination that appears hundreds of times. Does the subdomain look like a real word, or does it look like random letters and numbers?

0 Comments

no data
Be the first to share your comment!