Your new experience awaits. Try the new design now and help us make it even better

ORIGINAL RESEARCH article

Front. Comput. Sci.

Sec. Computer Security

Advanced DNS Tunneling Detection: A Hybrid Reinforcement Learning and Metaheuristic Approach

Provisionally accepted
MAHMOUD SAMMOURMAHMOUD SAMMOUR1Mohd Fairuz Iskandar OthmanMohd Fairuz Iskandar Othman1*ASLINDA HASSANASLINDA HASSAN1Omar BhaisOmar Bhais2Mohammed Saad TalibMohammed Saad Talib3
  • 1Department of Computer Systems and Communication, Universiti Teknikal Malaysia Melaka, Durian Tunggal, Malaysia
  • 2Department Intelligent Computing And Analytics, Universiti Teknikal Malaysia Melaka, Durian Tunggal, Malaysia
  • 3University of Babylon, Hillah, Iraq

The final, formatted version of the article will be published soon.

Select one of your emails

You have multiple emails registered with Frontiers:

Notify me on publication

Please enter your email address:

If you already have an account, please login

You don't have a Frontiers account ? You can register here

ABSTRACT DNS tunneling remains a critical network threat, exploiting the inherent trust in the DNS protocol for unauthorized communication, data exfiltration, and firewall evasion. Addressing this challenge, this paper introduces a novel, hybrid feature selection framework that integrates the Random Forest classifier with an Enhanced Reinforcement Learning-Guided Grey Wolf Optimizer (EnhancedRLGWO). The EnhancedRLGWO employs a Dueling Deep Q-Network and strategic Opposition-Based Learning to intelligently navigate the feature space and identify an optimal, minimal subset. Evaluated against the benchmark CIRA-CIC-DoHBrw-2020 dataset, the proposed approach achieved a state-of-the-art accuracy of 99.82% and a weighted F1-score of 99.79% using a highly compact subset of only 12 features. This performance significantly outperforms existing machine learning-based DNS tunneling detection systems, such as a hybrid feature selection model achieving 98.3% accuracy and a full 28-feature Random Forest baseline (98.50% accuracy). The experimental results showed the robustness of this method in identifying various types of DNS tunneling attacks, including Iodine, DNS2TCP, and DNScat2, while maintaining performance and accuracy.

Keywords: DNS tunneling, Encrypted traffic, Feature engineering, Feature Selection, Grey Wolf optimizer, Hybrid detection, machine learning, malicioustraffic

Received: 20 Oct 2025; Accepted: 15 Dec 2025.

Copyright: © 2025 SAMMOUR, Othman, HASSAN, Bhais and Talib. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) or licensor are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

* Correspondence: Mohd Fairuz Iskandar Othman

Disclaimer: All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article or claim that may be made by its manufacturer is not guaranteed or endorsed by the publisher.

Supplementary Material