DNS-TUNNEL-EXFILExfiltration

DNS Tunneling Exfil (iodine / dnscat2)

Encode exfil data into subdomain queries — works wherever recursive DNS is allowed out, often the last egress channel open.

§ Where this technique fits

DNS-TUNNEL-EXFIL is catalogued under the Exfiltration tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
step 3 / 5

§ What commonly comes next

01
DNS-over-HTTPS C2 Channel
DNS-DOH-C2 · Command and Control
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

DNS tunnel exfiltration in restricted egress

§ What commonly comes next