Free AWS Security Whitepaper
    Toc Consulting Logo
    HIGHData Exposure30-45 min containment15 steps across 5 phases

    Data Exfiltration via DNS/VPC

    An attacker is exfiltrating data from your AWS environment using covert channels - DNS tunneling (encoding data in DNS queries), VPC traffic to external endpoints, or other out-of-band methods. DNS exfiltration is particularly dangerous because DNS traffic is often not monitored and can bypass traditional network security controls.

    vpcvpcroute53route53guarddutyguarddutynetworkfirewallnetworkfirewall

    Phase 1: Detection

    $ tail -f /var/log/cloudtrail/events.log
    1

    Check GuardDuty for DNS exfiltration findings

    GuardDuty analyzes DNS logs and detects tunneling patterns (high query volume, long subdomain names, unusual TXT record queries).

    GuardDuty:Trojan:EC2/DNSDataExfiltrationBackdoor:EC2/C&CActivity.B!DNSTrojan:EC2/BlackholeTraffic!DNSImpact:EC2/AbusedDomainRequest.Reputation
    2

    Analyze Route 53 Resolver Query Logs

    If enabled, query logs show all DNS requests from your VPCs. Look for suspicious patterns.

    # Check if query logging is enabled
aws route53resolver list-resolver-query-log-configs
    # Analyze logs in CloudWatch Logs Insights:
# fields @timestamp, query_name, srcaddr, query_type
# | filter query_type = "TXT"
# | stats count() by query_name
# | sort count desc
# | limit 50

    DNS tunneling signs: long subdomain names (>50 chars), high volume to a single domain, unusual record types (TXT, NULL), base64/hex-encoded subdomains.

    3

    Review VPC Flow Logs for large outbound transfers

    Look for unusual volumes of outbound traffic, especially to IP addresses not in your known-good list.

    # Analyze flow logs for large outbound transfers
# fields @timestamp, srcAddr, dstAddr, bytes, action
# | filter direction = "egress"
# | stats sum(bytes) as totalBytes by dstAddr
# | sort totalBytes desc
# | limit 20

    Phase 2: Containment

    $ ./containment.sh --isolate --immediate
    1

    Block the exfiltration domain with Route 53 DNS Firewall

    Create a DNS Firewall rule group that blocks the identified exfiltration domain.

    # Create an empty domain list
aws route53resolver create-firewall-domain-list \
  --name "blocked-exfil-domains"
    # Add the malicious domain to the list
aws route53resolver update-firewall-domains \
  --firewall-domain-list-id <list-id> \
  --operation ADD \
  --domains "malicious-domain.example.com"
    # Create a rule group
aws route53resolver create-firewall-rule-group \
  --name "block-exfil"
    # Add a block rule
aws route53resolver create-firewall-rule \
  --firewall-rule-group-id <group-id> \
  --firewall-domain-list-id <list-id> \
  --priority 100 \
  --action BLOCK \
  --block-response NXDOMAIN \
  --name "block-exfil-domain"
    2

    Isolate the source instance

    Apply a restrictive security group to the instance performing the exfiltration.

    aws ec2 modify-instance-attribute \
  --instance-id <instance-id> \
  --groups <isolation-sg-id>
    3

    Enable Network Firewall for deep packet inspection

    If not already deployed, Network Firewall can inspect and block DNS tunneling and other covert channel traffic.

    Phase 3: Eradication

    $ ./eradicate.sh --purge --verify
    1

    Identify the exfiltration mechanism

    Determine how data is being encoded and exfiltrated. Common methods: DNS TXT queries, HTTPS POST to external endpoints, ICMP tunneling.

    2

    Determine what data was exfiltrated

    Analyze the DNS queries or network traffic to estimate the volume and type of data exfiltrated.

    DNS tunneling typically has a bandwidth of 10-50 kbps. Calculate total data from query count × average encoded payload size.

    3

    Remove the malware or backdoor performing exfiltration

    Identify and remove the process, script, or malware on the source instance that is generating the exfiltration traffic.

    Phase 4: Recovery

    $ ./recovery.sh --restore --validate
    1

    Rebuild the compromised instance

    Do not attempt to clean the instance. Terminate and rebuild from a known-good AMI.

    2

    Rotate all credentials accessible from the compromised instance

    Any data, secrets, or credentials that the compromised instance could access should be considered exfiltrated.

    3

    Assess data breach notification requirements

    Based on the data exfiltrated, determine if regulatory notification (GDPR, CCPA, HIPAA) is required.

    Phase 5: Lessons Learned

    $ cat POST_INCIDENT_REVIEW.md
    1

    Enable Route 53 Resolver Query Logging

    Log all DNS queries from your VPCs to detect DNS tunneling and exfiltration attempts.

    aws route53resolver create-resolver-query-log-config \
  --name "dns-query-logging" \
  --destination-arn <cloudwatch-log-group-arn>
    2

    Deploy Route 53 DNS Firewall with managed domain lists

    AWS provides managed domain lists for known malware, botnet C&C, and DNS tunneling domains.

    3

    Implement VPC endpoint policies

    Restrict VPC endpoints to only allow access to intended AWS services and resources, preventing endpoints from being used for exfiltration.

    dns-tunnelingdata-exfiltrationvpc-flow-logscovert-channeldns-firewall
    Previous
    IAM Privilege Escalation

    Need Help with Incident Response?

    When an incident strikes, every minute counts. We help AWS teams prepare, detect, and respond to security incidents with proven expertise.

    All PlaybooksGet in Touch