Contents:
DNS tunneling is one of the most common methods threat actors use for their cyberattacks. By DNS tunneling you can communicate data by using the DNS protocol even if that data does not use the same protocol.
During DNS tunneling, a normal DNS transaction is used for exchanging information with a malicious server that acts like the DNS authoritative server for a specific DNS zone.
Tunnels are a way of transporting data through a network even if you use protocols that the network does not support. Tunneling is, basically, wrapping up packets of data inside other packets, that use the protocol supported by the network.
The method is useful because not all networks support all protocols. And of course, it can be used by the good guys as well as the bad guys of the digital world.
Hackers can use HTTP, SSH, or TCP to transfer malware and stolen information through DNS queries, usually undetected by firewalls. The malicious information is camouflaged and sent as DNS queries and responses. The technique is used for avoiding filtering and firewall detection, and for secretly sending data through networks without being blocked. By launching a DNS tunneling attack, threat actors transform the Domain Name System (DNS), which is highly used and usually trusted, into their secret weapon.
How Does DNS Tunneling Work?
- The first step, for the threat actor, is to enlist a domain and point it to a server he controls and has already tunneling malware installed.
- Second, the victim’s device has to be compromised with malware. All DNS requests will be able to pass the firewall without facing any restrictions.
- After that, the Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
- The DNS resolver redirects the DNS query to the authoritative DNS server which has the tunneling software and is controlled by the threat actor.
- There you go! The cybercriminal has an almost untraceable, easy-to-use connection to his victim. Through this passage, the threat actor can exfiltrate information or he can run commands on the victim’s machine. The hacker’s computer is harder to track, because actually there’s no direct connection between his device and the victim’s.
What Is DNS Tunneling Used for
DNS was created for translating human language to computer language, not for exchanging data, so security details were not a priority. DNS is regarded as a safe, trustworthy protocol. This is why few companies consider it vulnerable and rarely check the DNS packets for malicious data. Instead, they rather focus all resources on email traffic, for example.
- Data exfiltration: attackers sneak information out over DNS. Although this is not a very efficient way to obtain data from a victim’s computer, it works and it’s not easily detectable.
- Command and Control (C2): threat actors might use the DNS convention to send commands to activate a remote access trojan (RAT) or other malware.
- IP-Over-DNS Tunneling: some utilities actualized the IP stack on the DNS inquiry reaction convention. That simplifies moving information by using standard communication programs like FTP, Netcat, SSH, etc.
How to Detect a DNS Tunneling Attack
As DNS was designed to be really flexible, as discussed above, for threat actors this is a chance to perform successful data exfiltration attacks. There are two strong indicators that you might be a victim of a DNS tunneling attack. Let`s first define that and then move forward to methods of detecting this kind of attack.
Unusual Domain Requests: Let’s imagine data within a requested domain name is encrypted by DNS tunneling malware. An organization could distinguish between genuine traffic and DNS tunneling attempts by looking closely at the domain names that are sought in DNS requests. They should recognize what domain traffic is typical or not.
High DNS Traffic Volume: A DNS request’s domain name can only be a certain size (253 characters). To carry out data exfiltration or set up a highly interactive command and control protocol, an attacker will probably need to send out a lot of malicious DNS requests. The subsequent increase in DNS traffic may be a sign that DNS tunneling is occurring.
If you take them separately, each of the two indicators can be perfectly normal. But if you notice they happen repeatedly, you should take a closer look. They might show you are victim of a DNS tunneling attack.
The techniques to use for observing these indicators and detecting a DNS tunneling attack can be split in two categories – payload analysis and traffic analysis.
- Payload Analysis
This means you should check for the following signs: the size of the request and answer, unusual hostnames, unusual DNS record types, DNS lookups that try to violate policies that normally direct them to an internal DNS server. A usual hostname should be basic words, nothing encoded, with a normal percentage of numerical characters in domain names.
- Traffic analysis
Check the volume of DNS traffic per IP address and per domain, the number of hostnames per domain, as well as the geographic location of the DNS server. A lot of DNS traffic that goes to geographical areas you have no connection with should look suspicious. You can also check the history of a domain. Try to learn when an A record (AAAA record) or NS record was created and added to a domain name.
How to Keep Safe from DNS Tunneling Attacks
For obvious reasons, you can`t just block a vital service, like DNS. So, you should consider a series of security measures that will offer you protection against DNS tunneling attacks.
- Make sure that all your internal customers have their DNS queries routed to an internal DNS server, so you are able to reject any malicious domains.
- Use DNS logging to swiftly identify and counter potential DNS attacks.
- Create a DNS firewall to detect and prevent hackers` intrusions.
- Use a real-time DNS solution to identify odd DNS requests and DNS server traffic patterns.
How Can Heimdal® Help Mitigate DNS Tunneling Attacks?
Professionals at Heimdal® are here to help you keep your business protected against threat actors. Threat Prevention is a ground-breaking DNS security solution that combines cybercrime intelligence, machine learning, and AI-based prevention to accurately forecast and stop future threats (96% of the time).
Heimdal® was the first to offer a system that incorporates genuine DNS over HTTPS, moving beyond the conventional rerouting of DNS packets. Threat Prevention does not tolerate hacking, regardless of the connection protocol, the industry, the profile, or the company’s level of cyber awareness.
By routing all DNS queries through an encrypted session using Hypertext Transfer Protocol Secure, the tool encrypts DNS traffic. Malware is prevented from communicating with criminal infrastructure by being banned at the traffic level by DarkLayer GuardTM and VectorN DetectionTM.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Wrapping Up
Cyberattacks did not happen daily in the 1980s, so there is no wonder that the DNS was not created with security in mind. This state of things left multiple doors open to threat actors that followed, like the DNS tunneling attack method we talked about. However, DNS traffic is vital to our day-to-day activity, and therefore blocking it is not an option.
What you can and should do is use professional security solutions that keep your data and business safe from any malicious activity.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
