Echoes From the Void: Detecting DNS Tunneling With Blackhole Features in Encrypted Scenarios With High Accuracy

Domain name system (DNS) tunneling is a covert technique for data exfiltration and command-and-control communication, often bypassing traditional security mechanisms. It exploits the DNS, making it difficult to detect, especially when it uses encryption protocols such as DNS-over-HTTPS (DoH). This paper describes a novel detection framework analyzing client behavior towards simulated blackhole events that occur when a DNS query is dropped deliberately. The new approach introduces six new behavioral features concerning retry and domain-switching behavior in combination with eleven traditional DNS metrics. Experiments were conducted using the GraphTunnel data set (2,975,353 records) and the CIC-Bell-DNS-EXF-2021 (1,019,318 records). A five-fold cross-validation with a random forest classifier achieved 99.9% classification accuracy, a 99.9% F1 score, and 100% precision and recall. Feature importance analysis indicates that blackhole-related features contribute to the detection query-to-blackhole ratios (Gini importance of 0.35) and inter-blackhole intervals (0.20), which help focus on stealthy tunneling behavior. The system does not inspect the payload, so it works with a lightweight mechanism even under encrypted DNS traffic, enabling its real-time deployment. Apart from the computational capability, such a practical field deployment in commercial environments presents integration challenges. Integration within existing security information and event management (SIEM) systems or DNS infrastructures implies API compatibility, scaling for heterogeneous networks, and minimizing the disruption of established workflow. Enterprises also face limitations concerning regulatory compliance, data privacy, and operational costs in integrating new detection mechanisms. In order to address these issues, our system is designed modularly and protocol-independently so that it can be easily integrated with mainstream SIEM tools (i.e., Splunk, QRadar) and enterprise DNS resolvers using standard interfaces. Future end uses include validating the approach in live environments as a fast response to future evolutive threats such as wildcard DNS abuse and tunneling over amplified queries.