TA0010 · ATT&CK Tactic
Exfiltration
Move stolen data off the network without triggering DLP or firewall blocks. DNS tunneling encodes data into query strings — port 53 is rarely inspected and almost never blocked outbound.
T1048.003Exfiltration Over DNS
Encode stolen data as subdomain labels in DNS queries — e.g. aGVsbG8gd29ybGQ.tunnel.attacker.com. The resolver forwards queries through corporate firewalls because DNS is trusted. Iodine establishes a full IP-over-DNS tunnel; dnscat2 does it in pure userland with no kernel driver. 844 queries exfiltrate ~180 KB/s of compressed data.
Attack SimulationReady
# Attacker controls: tunnel.attacker.com NS → 185.220.101.47
# iodine server running on VPS, awaiting client
attacker@kali:~/exfil$
$
NGFW Alert — High
Foyl NGFW · FW-2024-3391HIGH
"rule": "DNS Tunneling — Anomalous Query Volume", "src_ip": "192.168.3.45", "src_host": "RESEARCH-STATION-01", "protocol": "DNS/UDP", "dst_port": 53, "queries_per_min": 847, "baseline_qpm": 12, "domain": "*.tunnel.attacker.com", "subdomain_entropy": 4.82, "avg_label_len": 47, "data_volume_kb": 184, "investigation": "INV-2024-0087"