What is an indicator of DNS tunneling?

DNS tunneling relies on hiding data inside the DNS queries themselves. The most telling sign is long or encoded subdomains within the host portion of those queries. When data is being exfiltrated through DNS, attackers pack it into the left-most labels of the domain name, often producing DNS queries that look unusually long or contain random, encoded strings. Normal traffic typically uses short, meaningful subdomains, so this pattern stands out as a clear indicator of tunneling. Other choices are less diagnostic. Abnormally large DNS responses can happen for legitimate reasons (large TXT records, DNSSEC, or misconfigurations) and don’t track with how tunneling conveys data. A high volume of DNS queries can occur in normal environments or during legitimate bursts of activity. DNS over HTTPS hides DNS traffic rather than showing the payload pattern of tunneling, so it’s not a reliable indicator by itself.