Detecting DNS tunneling-based data exfiltration using machine learning

Abstract

The misuse of DNS tunneling for covert data exfiltration is a significant threat to network security because DNS traffic is typically trusted and allowed through firewalls without deep inspection. Attackers exploit this protocol by embedding encoded payloads within DNS queries and responses, enabling them to bypass traditional security mechanisms that struggle to identify such stealthy, low-and-slow exfiltration patterns. This paper presents a hybrid detection framework that combines a one dimensional Convolutional Neural Network (1D CNN) for automated feature extraction with a Support Vector Machine (SVM) classifier for robust decision-making. The model is trained and evaluated on the BCCC-CIC-Bell-DNS-EXFdataset, which contains diverse benign, light, and heavy exfiltration samples generated using real tunneling tools such as Iodine. Experimental results demonstrate high effectiveness, with the CNN+SVM approach achieving up to 99.91% accuracy, minimal false positives, and consistent performance under 5-fold cross-validation. Furthermore, an NFQUEUE-based real-time prototype demonstrates live DNS packet interception and online feature computation, and enables low latency (millisecond-level) decision-making using a baseline SVM classifier trained on entropy feature(s) in our test environment (approximately 1.4–2.4 ms per query). Overall, this paper provides an effective approach for DNS tunneling detection and establishes a foundation for future work, including integration of the proposed model into real-time operation and extensions to encrypted DNS protocols and explainable detection.