Heimdal
Home > Cybersecurity Basics

What Is DNS Tunneling, and How to Detect and Prevent It

Last updated on June 17, 2024

article featured image

Contents:

DNS tunneling is one of the most common methods threat actors use for cyberattacks. Hackers encapsulate malware within DNS queries and responses to bypass firewalls and other network security measures.

In DNS tunneling attacks, hackers use a normal DNS transaction to communicate with a malicious server that acts like the DNS authoritative server for a specific DNS zone.

Key takeaways:

  • the DNS protocol is not safe by itself, you need to secure it to prevent DNS tunneling attacks and other threats
  • hackers use DNS tunneling to hide and spread malware within legitimate DNS traffic
  • DNS tunneling enables bad actors to evade detection while they exfiltrate data
  • DNS security is the first line of defense against cybersecurity attacks
  • for the DNS tunneling attack to work, first the hacker needs to get malware on the victim’s device

How Does DNS Tunneling Work?

DNS tunneling enables transporting data through a network even if you use a protocol the network does not support.

To transfer malware and stolen information through DNS queries, hackers use different protocols, like HTTP, SSH, or TCP.

They camouflage the malicious information and send it as a series of DNS queries and responses. It boils down to wrapping up packets of data inside other packets, that use the protocol the network supports.

They do this to avoid filtering and firewall detection.

Here’s how the DNS tunneling process works:

  • First the threat actor enlists a domain and points it to a server he controls and has already tunneling malware installed.
  • Second, they get the victim’s device compromised with malware. Phishing, adware, and social engineering are common methods to obtain initial access. From then on, all DNS requests will be able to pass the firewall without facing any restrictions.
  • After that, the Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
  • The DNS resolver redirects the DNS query to the authoritative DNS server which has the tunneling software and is controlled by the threat actor.
  • There you go! The cybercriminal has an almost untraceable, easy-to-use connection to his victim. Through this passage, the threat actor can exfiltrate information or he can run commands on the victim’s machine. The hacker’s computer is harder to track, because actually there’s no direct connection between his device and the victim’s.

What Is DNS Tunneling Used for

Like many other IT tools and concepts, the DNS tunneling technique can be both useful and harmful:

  • bad guys use tunneling to avoid detection and bypass the network’s security measures, like firewalls
  • IT Administrators use it for making communication between networks safer and more efficient. Communicating through VPN networks, for example, is a legitimate way of using tunneling

In practice, DNS tunneling attacks result in:

  • Data exfiltration: attackers sneak information out over DNS. Although this is not a very efficient way to obtain data from a victim’s computer, it works and it’s not easily detectable.
  • Command and Control (C2): threat actors might use the DNS convention to send commands to activate a remote access trojan (RAT) or other malware.
  • IP-Over-DNS Tunneling: some utilities actualized the IP stack on the DNS inquiry reaction convention. That simplifies moving information by using standard communication programs like FTP, Netcat, SSH, etc.

dns security

How to Detect a DNS Tunneling Attack

There are two strong indicators that you might be a victim of a DNS tunneling attack. Let’s first define that and then move forward to methods of detecting it.

Unusual Domain Requests

Let’s imagine data within a requested domain name is encrypted by DNS tunneling malware. An organization could distinguish between normal DNS traffic and DNS tunneling attempts by looking closely at the domain names that appear in DNS requests. They should recognize what network traffic is typical or not.

High DNS Traffic Volume

A DNS request’s domain name can only be equal or less than 253 characters. To carry out data exfiltration or set up a highly interactive command and control protocol, an attacker will probably need to send out a lot of malicious DNS requests.

This will generate an abnormal growth in DNS traffic which should alert the IT team that something fishy is going on. Like a DNS tunneling attack, for example.

The techniques for observing DNS indicators of compromise (IoCs) and detecting a DNS tunneling attack fall in two categories:

Payload Analysis

Payload analysis means you should check for the following signs:

  • the size of the request and answer
  • unusual hostnames
  • unusual DNS record types
  • DNS lookups that try to violate policies that normally direct them to an internal DNS server

A usual hostname should be basic words, nothing encoded, with a normal percentage of numerical characters in domain names.

Traffic Analysis

Traffic analysis helps detect DNS anomalous behavior. Use it to check:

  • the volume of DNS traffic for each of the IP addresses and per domain
  • the number of hostnames per domain
  • the geographic location of the DNS server that sent the inbound DNS query

Large amounts of DNS traffic pointing to geographical areas you have no connection with should look suspicious. You can also check the history of a domain. Try to learn when an A record (AAAA record) or NS record was created and added to a domain name.

DNS security solutions

How to Keep Safe from DNS Tunneling Attacks

Most companies consider the DNS protocol is safe and trustworthy by default. This is why few of them use traffic analysis to check DNS packets for malicious data. Instead, they rather focus all resources on email traffic, for example.

However, ignoring DNS security best practices brings serious risks to your infrastructure. For obvious reasons, you can’t just block a vital service, like DNS. So, here’s what you can do to protect against DNS tunneling attacks.

  • Make sure that all your internal customers have their DNS queries routed to an internal DNS server, so you are able to reject any malicious domains.
  • Create a DNS firewall to detect and prevent hackers’ intrusions.
  • Use a real-time DNS security solution to identify odd DNS requests and network traffic patterns.

How Can Heimdal® Help Mitigate DNS Tunneling Attacks?

Professionals at Heimdal® are here to help you protect against DNS based attacks and block on the spot any malicious activity.

Heimdal’s DNS Security tool is a ground-breaking DNS tool that combines threat intelligence, machine learning, and AI-based prevention to accurately forecast and stop future threats (96% of the time).

Heimdal® was the first to offer a system that incorporates genuine DNS over HTTPS, moving beyond the conventional rerouting of DNS packets.

By routing all DNS queries through an encrypted session using Hypertext Transfer Protocol Secure (HTTPs), the tool encrypts DNS traffic. DarkLayer GuardTM and VectorN DetectionTM prevents malware communicating with its command-and-control center by blocking the connection at traffic level.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up

Cyberattacks did not happen daily in the 1980s. When researchers created the DNS, they weren’t too concerned about potential security issues. This state of things left multiple doors open to threat actors that followed.

The DNS tunneling attack method is one of those doors. Because DNS traffic is vital to our day-to-day activity, blocking it to avoid a DNS tunneling attack is not an option.

What you can and should do is use DNS monitoring tools and DNS filtering to detect and stop malicious traffic. This will keep your sensitive data and business safe.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

What Is a DNS Server? Definition, Purpose and Safety MeasuresWhat Is DNS? An Introduction to the Internet’s Phonebook and How It WorksHow DNS Layer Security Stops Ransomware and Other Cyberattacks5 Ways Heimdal® Protects You From DNS AttacksWhat Is a DNS Zone and How to Keep Safe From DNS Zone Transfer AttacksWhat Is DNS Propagation and How to Keep Safe from DNS AttacksDNS Logging: What Is It and How Can It Help Prevent DNS Attacks?DNS Best Practices: A Quick Guide for OrganizationsDNS Attack Types Explained – Threats and Mitigation Measures

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V