...
Companies allow the DNS protocol to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.
A network attack using DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can transmit commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator's requests. DNS tunneling can also be used to bypass regulations in networks, for example, by leveraging hotspot logins or blocked services.
This works because DNS is a very flexible protocol. There are very few restrictions on the data a DNS query contains because it is designed to look up domain names of websites. Since almost anything can be a domain name, these fields can be used to transmit sensitive information. These queries are designed to go to attacker-controlled DNS servers so they can receive the queries and respond in the appropriate DNS responses.
...
The check is activated by default, but can be deactivated if required in the configuration in the menu DNS → Filter/Aliases → DNS Tunnel Filter. However, we recommend not deactivating the check.
Possible error pattern that can occur when the check is activated:
...