Skip to content

Explain DNS data exfiltration and how a blue team would detect it.

Short answer

DNS exfiltration encodes stolen data into DNS queries (e.g. long subdomain labels sent to an attacker-controlled authoritative server), abusing the fact that DNS is almost always allowed outbound and often unmonitored. Detect it with anomalies: unusually high query volume to one domain, long/high-entropy subdomains, many unique subdomains per parent domain, TXT/NULL record abuse, and queries to newly registered or rare domains.

DNS exfiltration is a favorite because DNS is the protocol everyone forgets to watch. Firewalls block most outbound ports, but port 53 is nearly always open, internal hosts trust the resolver, and few teams inspect query contents. Interviewers ask this to test whether you understand covert channels and can build detection from traffic characteristics rather than signatures.

How it works

The attacker controls the authoritative DNS server for a domain they own, say evil.com. Malware on a victim encodes chunks of stolen data (often base32/hex) into subdomain labels and issues lookups like Y2FyZHM.chunk2.evil.com. The query walks the DNS hierarchy until it reaches the attacker's server, which logs the data and can answer back in the response (e.g., a TXT or NULL record) to form a two-way channel — the basis of tools like iodine and dnscat2. It is slow and chatty, but it slips past egress controls and is great for C2 and small data theft.

How to detect it

Look for statistical anomalies, not strings:

  • High query volume to a single parent domain from a host.
  • Long subdomains and high-entropy labels (encoded data looks random, unlike real hostnames).
  • Many unique subdomains under one domain (each query carries new data).
  • Heavy use of TXT/NULL record types and large responses.
  • Queries to newly registered, rare, or low-reputation domains, and clients bypassing the corporate resolver.

Why this matters

Defenses include forcing all DNS through inspected resolvers, DNS firewalling / sinkholing, threat-intel feeds for malicious domains, and analytics on the signals above. A strong answer explains why DNS is abused, sketches the encode-into-subdomain mechanism, and lists behavioral detections — showing you can hunt covert channels that have no neat signature.

Likely follow-ups

  • Why is DNS such an attractive covert channel compared to HTTP?
  • How does a tunneling tool like iodine or dnscat2 structure its queries?
  • How would a DNS firewall or sinkhole help here?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.