Bhowmik, M.Chowdhary, A.Rudra, B.2026-02-06202112th International Conference on Advances in Computing, Control, and Telecommunication Technologies, ACT 2021, 2021, Vol.2021-August, , p. 513-518https://doi.org/https://idr.nitk.ac.in/handle/123456789/30316Although there are many effective methods to detect DNS Tunneling attacks, the attacks still happen, and the attackers can mock genuine queries to bypass such checks. However, in data exfiltration, the DNS queries are continuously changing as some part of it represents the data itself. Thus, all such queries would result in a cache miss, and therefore we can use such properties to detect DNS Tunneling attacks. However, relying on this is not enough as it will also have many false positives. To overcome the problem, we propose three criteria-based methods that consider DNS Tunneling queries’ properties and use them to reduce the number of false positives and thus accurately detect DNS Tunneling traffic. We even discussed the bypassing checks in this paper, and they are both costly and require the attacker to make redundant queries. © Grenze Scientific Society, 2021.Data exfiltrationDNS cache serverDNS queriesDNS tunnelingDNS tunneling detectionDnscat2FQDN