Echoes from the Void: Detecting DNS Tunneling with Blackhole Features in Encrypted Scenarios with High Accuracy

DNS tunneling is a covert technique for data exfiltration and command-and-control communication, often bypassing traditional security mechanisms. It exploits the Domain Name System (DNS), making it difficult to detect, especially when it uses encryption protocols like DNS over HTTPS (DoH). This paper describes a novel detection framework analyzing client behavior towards simulated blackhole events. These are events when a DNS query is dropped deliberately. The new approach introduces six new behavioral features concerning retry and domain-switching behavior in combination with eleven traditional DNS metrics. Experiments were conducted using the GraphTunnel data set (2,975,353 records) and the CIC-Bell-DNS-EXF- 2021 (1,019,318 records). A five-fold cross-validation with a Random Forest classifier has been able to achieve 99.9% classification accuracy, a 99.9% F1 score, and 100% precision and recall. Feature importance analysis indicates that blackhole-related features contribute to the detection query-to-blackhole ratios (Gini importance of 0.35) and inter-blackhole intervals (0.20), which help focus on stealthy tunneling behavior. The system does not inspect the payload, so it works with a lightweight mechanism even under encrypted DNS traffic, enabling its real-time deployment. Future end-uses include the validation of the approach in live environments as a fast response to future evolutive threats such as wildcard DNS abuse and tunneling over amplified queries.