[2026.03.11] Resolution Without Dissent: In-Path Per-Query Sanitization to Defeat Surreptitious Communication Over DNS

As one of the most fundamental Internet components, DNS has served various purposes and thus DNS traffic usually exhibits diverse patterns and is probably the least blocked by network administrators. These make DNS an attractive channel for attackers to establish surreptitious communications (i.e., DNS tunneling). In fact, such a surreptitious channel has been widely abused for command and control (C2) and enterprise-unapproved virtual private network (VPN). Existing approaches exclusively rely on the statistical characteristics of a sequence of DNS queries to detect DNS tunneling. Unfortunately, these approaches by nature cannot guarantee zero data leakage and can be evaded when the stolen data is exfiltrated over many root domains. As a result, state-of-the-art approaches are more suitable for threat investigation and forensic analysis, but not for DNS tunneling prevention.

To fill this protection gap, we propose TunTight, the first system that is able to achieve in-path per-query DNS tunneling prevention. Our key insight is that DNS tunneling domains have unique characteristics in their authoritative nameservers, domain usage, and domain name patterns. Based on these characteristics, a set of unique features are defined and extracted which are fed to a machine learning model. To validate the efficacy of TunTight, we integrate it into the cloud backend of an enterprise firewall product by one of the largest security vendors. In our two-months real-world deployment, TunTight has successfully detected 349 confirmed tunnels at the very first query with negligible false positives and negatives. We also conduct the first large-scale study of DNS tunneling activities in the wild. One interesting finding is that most DNS tunneling traffic in enterprise networks come from public tunneling tools and enterprise-unapproved VPN services.