DNS Exfiltration: How Hackers Use Your Network to Steal Data Without Detection

Cybercriminals use a wide range of techniques to steal sensitive business data, from phishing emails and credential theft to malware and insider compromise. As security defences improve, attackers continue to adapt, searching for quieter ways to bypass detection and extract valuable information.

One method that is particularly hard for firms to spot is DNS exfiltration. This technique takes advantage of the Domain Name System, which plays a key role in internet communication, but is rarely monitored closely. By hiding data within routine DNS traffic, hackers can remove information without raising alarms.

This can be used for quiet, careful data theft that offers many opportunities for hackers, such as stealing financial data, customer records or authentication credentials. Therefore, understanding how this works is critical for modern threat mitigation.

Data exfiltration is the main goal of many cyberattacks. According to our research, 94 percent of ransomware attacks in 2024 attempted to steal data. DNS exfiltration is a covert method of achieving this that abuses the normal process of domain name resolution. Instead of using direct file transfers or web-based communication, attackers encode stolen data into DNS queries that appear harmless to most security tools, thereby allowing them to exfiltrate data without raising red flags.

Here’s how the process typically works:

1. Initial compromise: The attacker first gains access to the target network, often through phishing, malware or an exploited vulnerability.
2. Data gathering: Once inside, the attacker locates valuable information suitable for exfiltration via DNS, such as credentials, customer records, intellectual property or financial data.
3. Data encoding: The stolen data is broken into chunks small enough to fit within the DNS character limit, which are then encoded into DNS query requests, often using custom subdomains. For example, part of a password might be disguised as x1a2b3c.example-attacker.com.
4. Outbound transmission: The infected system sends these DNS requests to an external, attacker-controlled domain. Since DNS traffic is usually allowed by firewalls, this step often goes unnoticed.
5. Data collection: The attacker’s DNS server receives the requests, extracts and reassembles the data to complete the exfiltration.

This method can be used to steal a wide range of sensitive data, including login credentials, internal documents, customer information, encryption keys and system configurations. Because it operates through a common and trusted protocol, DNS exfiltration is difficult to detect without specific monitoring in place.

DNS is a foundational part of the internet infrastructure. It translates domain names into IP addresses, allowing browsers and applications to find and connect to websites and services. Because this is essential for normal network function, requests to DNS servers are typically allowed by default and rarely restricted by cybersecurity defenses.

This means that, unlike other protocols, DNS traffic is often not inspected closely. Many businesses instead focus their efforts on email, web or file transfer activity. As a result, DNS is frequently overlooked in security monitoring and may not be logged or filtered effectively.

This makes it an ideal channel for attackers conducting low-throughput data exfiltration. By embedding stolen data into a series of outbound DNS queries, they can transfer small amounts of information without detection. Each query appears legitimate on the surface and blends in with the thousands of DNS requests a business generates every day.

Over time, this technique can be used to extract login credentials, internal documents or other sensitive information without triggering alerts from firewalls or traditional security tools.

Because DNS exfiltration is designed to go unnoticed, businesses need systems in place that can monitor and analyze DNS traffic in real-time. Without visibility into this layer, attackers may quietly extract sensitive data over weeks or months before being discovered.

However, even though DNS exfiltration is designed to be as unobtrusive as possible, there are still a few red flags that can give you a warning of such an attack in progress. These include:

• Unusually high volumes of DNS queries from a single device
• DNS requests to unknown or rarely used domains
• Domains with long, random-looking subdomain strings
• Repeated queries to non-existent subdomains under the same root domain
• DNS requests occurring at odd hours or outside normal usage patterns
• Outbound DNS traffic to servers outside your geographic region
• Encoded or base64-like strings embedded in DNS queries

Any one of these may not confirm an attack, but together they can indicate a suspicious pattern of activity. Tools that use behavioral analytics can help detect these early and reduce the risk of data loss.

DNS exfiltration is designed to be subtle, which means that by the time it’s detected, the damage may already be done. That’s why prevention needs to start early. As part of their data protection management, businesses must take a proactive approach to monitoring DNS activity by looking for the above telltale signs of data exfiltration, as well as be able to respond quickly to shut down attempts before they can be successful.

Here are key steps to reduce the risk:

• Monitor DNS traffic using security tools or SIEM platforms that can flag anomalies in query volume, frequency and structure.
• Implement DNS filtering to block access to known malicious domains and restrict queries to trusted resolvers.
• Use egress filtering to limit which systems can send DNS requests to the internet.
• Deploy behavioural analytics to detect abnormal DNS activity that traditional tools may miss.
• Log and audit DNS activity regularly to establish baselines and quickly identify deviations.
• Educate employees about phishing and social engineering, which are common entry points for DNS-based attacks.

Tools to prevent DNS exfiltration should be seen as an essential last line of defense that can protect firms even if networks have already been breached by hackers.