Detecting DNS Tunnelling Without Deep Packet Inspection
DNS tunnelling encodes arbitrary data into DNS query names. DKTrace detects it through query entropy analysis, subdomain length distribution, and request-per-domain rate — all from metadata alone.
DKTrace Research Team
Security Engineering · Threat Research
How DNS Tunnelling Works
Tools like DNScat2, Iodine, and custom APT tooling encode C2 traffic or exfiltrated data into DNS query names. The encoded data travels inside legitimate DNS requests — port 53 is rarely blocked, making it an attractive exfiltration channel.
A normal query looks like: mail.google.com
A tunnelled query looks like: a8f3d2c1b4e7f923.evil.com
DKTrace's DNS Anomaly Engine
The nta-engine computes per-domain per-source statistics over 5-minute sliding windows:
Signal 1: Shannon Entropy
Normal hostnames have entropy ~2.5 bits/char. Base64-encoded data reaches 5.8+ bits/char.
def shannon_entropy(label: str) -> float:
freq = Counter(label)
total = len(label)
return -sum((c/total) * math.log2(c/total) for c in freq.values())Threshold: entropy > 4.5 bits/char → anomalous
Signal 2: Unique Subdomain Count
Signal 3: Query Name Length Distribution
Signal 4: NX Domain Ratio
High NXDOMAIN ratio indicates the client is using the DNS server as a channel, not resolving real hosts. Normal NX ratio: < 5%. Tunnelling: 40–80%.
Signal 5: Record Type Abuse
TXT, NULL, and CNAME records are rarely used in normal traffic but frequently used for tunnelling payloads.
Combined Detection Rule
IF (entropy > 4.5 AND unique_subs > 100) OR
(query_length_p95 > 80 AND nx_ratio > 0.3) OR
(txt_query_rate > 10/min AND unique_subs > 50)
THEN fire T1071.004 (confidence = HIGH)False Positive Avoidance
DKTrace whitelists:
See It Live
Watch DKTrace detect this threat in your environment
Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.
Request a Live Demo