I understand that it is possible to get around some very tough firewalls by ‘tunneling’ through DNS and send requests to a cooperative authorative DNS server. I don’t exactly understand why this is necessary in a ‘Command & Control’ type application. Assuming such an application was to trust only a hard-coded SSL certificate, not just anything trusted by the machine - i.e. precluding a MITM attack on the part of the firewall, why wouldn’t HTTPS suffice for this communication in evading the suspicion and intervention of a firewall. I admit I am not quite up to date on firewalls, but at a conceptual level I can’t seem why DNS tunneling has any advantage over HTTPS.
The job of a red team (or a real motivated adversary) is to evade detections and telemetry deployed by the blue team.
During recon, the red team may find that the blue team does not have any insight as to DNS requests, and / or is watching HTTP traffic more closely. Whereas a company may have extensive web history logs, they may not be logging DNS.