Performance Characteristics of DNS Tunneling

Arko Labrie -

In the constantly evolving landscape of cyber threats, DNS tunneling remains one of the stealthiest and most underestimated attack vectors. By exploiting the fundamental role of DNS as a communication protocol, attackers are able to bypass traditional security defenses, create covert channels, and exfiltrate sensitive data.

We continue our series of articles on DNS Tunneling, where in previous pieces we’ve covered the essence of DNS tunneling and data exfiltration, explaining why it’s dangerous, how it works, and how surprisingly easy it is to execute. In this third article, we turn our attention to a critical and often overlooked factor: the Performance Characteristics of DNS Tunneling. Many assume these tunnels are too slow to matter, but the reality paints a different picture.

One might assume that using DNS for data transfer is extremely slow, since DNS is not designed for bulk data, and indeed, many DNS tunnels operate at low bitrates. However, the performance of DNS tunneling can vary widely depending on how it’s implemented and the network conditions. In the worst case, DNS tunneling is quite sluggish, for example, a security study noted a typical bandwidth of around 110 KB/s (0.11 MB/s) for DNS tunnels, which is minor compared to normal network speeds. Many real-world malware samples using DNS tunnels send data sparingly to avoid detection. However, under optimal conditions, DNS tunneling can achieve surprisingly high throughput, even exceeding tens of megabits per second, or more.

Some of the open-source tools have modes or techniques to maximize DNS tunnel bandwidth. For instance, the tool Iodine can operate in what’s called “raw mode,” where it sends DNS packets directly to an authoritative server, bypassing the usual recursive resolver behavior. Before establishing the tunnel, Iodine checks which types of DNS packets are suitable for carrying payloads and automatically tests encoding options to find the most efficient one.

Iodine checks which types of DNS packets are suitable for carrying payloads

Once a working encoding is found, the tool tests the maximum possible payload size per packet by adjusting the downstream fragment size to ensure optimal throughput without fragmentation or packet loss.

Test the maximum possible payload size per packet

In a controlled test environment, Iodine’s raw mode was shown to push over 50 Mbit/s through a DNS tunnel. In one benchmark, a 10MB file was transferred in just one second, demonstrating that DNS tunnels can achieve speeds rivaling legitimate network traffic under ideal conditions.

We transferred a 10MB file in just one second

This was achieved by using large DNS packets and fast, direct query loops. If multiple parallel queries are used and the attacker controls the entire path, throughput can climb even higher. In theory, with extensions like EDNS0 allowing larger UDP payloads (~4KB per DNS message) and multiple queries in flight, a DNS tunnel could reach hundreds of megabits per second. In fact, security engineers have demonstrated that in ideal lab conditions (e.g., a local network with no DNS resolver in the middle), DNS tunneling can exceed 200 Mb/s of data transfer. That is comparable to or higher than many corporate internet connections, indicating that DNS tunneling is not just a trickle of data, it can be a firehose under the right circumstances.

On the other hand, the moment a DNS tunnel has to go through a typical recursive resolver, as in most real scenarios, performance drops dramatically. Even when all unknown outbound connections are completely blocked at the firewall level, the speed drops significantly, but the tunnel still remains operational.

Even when all unknown outbound connections are completely blocked at the firewall level, the speed drops significantly, but the tunnel still remains operational

This illustrates how persistent DNS tunnels can be even in tightly restricted network environments. Continuing the Iodine example, when the tunnel was forced to use a normal DNS server, which breaks data into many small queries and adds latency, the bandwidth plummeted from 50 Mbit/s to around 400 kbit/s (0.4 Mbit/s) . That’s a huge drop, illustrating that real-world tunnels often face overhead. Additionally, many public DNS resolvers and corporate DNS servers will cache responses and rate-limit similar queries, further capping throughput. Attackers must balance speed with stealth, aggressive high-volume DNS tunneling might be faster, but it’s also more likely to be noticed by intrusion detection systems due to unusual traffic patterns. Therefore, in practice, many malicious DNS tunnels operate in the realm of a few kilobits to a few hundred kilobits per second, slow enough to stay under the radar, but still fast enough to gradually siphon significant data, for example, even 100 kbit/s can exfiltrate ~1 MB of data in 80 seconds, which over hours or days can leak gigabytes).

In summary, DNS tunneling performance ranges from very slow to surprisingly fast. With careful optimization (direct authoritative queries, larger DNS messages, parallelism), tunnels can reach tens or even hundreds of Mbps. This means an attacker who isn’t worried about being noisy could transfer substantial data (e.g. streaming stolen data out). Conversely, stealthy attackers will accept lower speeds to avoid detection. From an organizational standpoint, this variability means you cannot assume a DNS tunnel is harmless because “it’s too slow to be useful”, it might not be slow at all. Even a slow tunnel is dangerous if it’s stealing your data, and a fast tunnel is outright alarming because of how much it can take in a short time.

DNS tunneling isn’t just a theoretical risk or an exotic attack seen only in advanced persistent threat scenarios. It’s a real, versatile, and increasingly accessible method used for data exfiltration and command-and-control operations. As we’ve shown, DNS tunnels can range from barely detectable low-bandwidth trickles to high-speed channels capable of transferring hundreds of megabits per second under the right conditions. This variability makes them dangerous: slow enough to slip under the radar, fast enough to cause real damage.

SafeDNS offers advanced Network-layer protection specifically designed to detect and block tunneling attempts in real time. Our DNS Security 2.0 module identifies abnormal query patterns, excessive subdomain usage, and suspicious data encoding behaviors common in tunneling. With automated threat intelligence, encrypted DNS support (DoH/DoT), and integration into SIEM platforms, SafeDNS helps organizations detect both stealthy and aggressive tunnels before damage is done. Whether attackers are dripping out data or opening the floodgates, SafeDNS ensures your DNS is no longer a blind spot, but a proactive defense line.