DNS Tunneling

Listen to this article instead
5:50

What is DNS Tunneling

DNS tunneling is a malware technique that allows an attacker to establish a command-and-control (C2) channel to a victim’s computer. The channel created provides a means of encapsulating malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic especially in scenarios where almost all other traffic is restricted.

Another common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. As cybersecurity experts continue to block or heavily control other channels like FTP and HTTPS, the use of DNS tunneling is increasing.

How DNS Tunneling Works

The Attacker’s mind

The DNS service is critical for most networks and as such is typically allowed to pass through most firewalls unfiltered. The UDP port 53 most commonly used for DNS traffic cannot be completely blocked by organizations as this will break most, if not all, network communication.

Attackers fully understand this situation and have crafted various means of exploiting it, one of which is DNS tunneling. To perform DNS tunneling, an attacker infects a victim’s computer with malware which then allows the attacker to establish the C2 channel for sending information to and receiving commands from the attacker’s server.

Setting up a DNS Tunnel

To set up a DNS tunnel to a victim’s computer, an attacker registers a domain like example.com.

The attacker then proceeds to register their server as the domain’s authoritative DNS server. Oftentimes, a subdomain is also set up where the authoritative DNS server redirects the domain traffic. With this setup, the attacker can listen to the DNS port on the C2 server for DNS requests coming from the infected system.

When an infected system makes a DNS request to resolve example.com, a connection is established between the infected system and the attacker’s C2 server creating a covert channel that can be used for malicious activities like uploading and downloading files, executing programs, launching an interactive shell, etc.

How an attacker can take advantage of DNS tunneling

One of the most common uses of a DNS tunnel is data exfiltration. The infected system can use the channel created to pass sensitive data to the attacker’s C2 server. Let’s look at an example.

Imagine a victim’s computer is infected with malware and listens for keystrokes to capture the user’s username and password when they visit a particular website—let’s say their bank website.

This captured information can then be encoded in base64 and attached to the DNS query like below: 

Because this string has all the characteristics of a valid DNS name, it can be sent undetected to the attacker’s computer where it can be decoded and inspected. 

Just as infected zombie systems can communicate with the C2 server over the created channel, the attacker can also communicate back. Using well-crafted DNS records (A, AAAA, TXT, etc) in the query response, an attacker can send a command back to the malware on the victim’s computer to perform more tasks e.g., install additional malware, shut down the victim’s computer, encrypt the victim’s hard drive and request ransom, etc.

Another use of DNS tunneling is to provide heartbeat signals to the C2 server. This signal is sent from the victim’s computer to the C2 server letting the attacker know that the infected machine is still available and waiting for commands.

An attacker establishing a DNS tunnel can be compared to an ill-intentioned person gaining access into your house, there is really no limit to what they can do. The magnitude of possible damage is always based on what their evil intentions are.

Preventing DNS Tunnelling Attacks

DNS Filtering (Recommended Solution)

Having a DNS filtering system to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. 

Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks.

Some of the features required of a good DNS filtering system are listed below:

  • Detect phishing attacks that can lead to the installation of malware
  • Each time a DNS server receives a DNS request, it should be compared against a block list of known malicious domains
  • Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
  • Detect and alert on unusual DNS traffic patterns

DNSFilter offers these features and more to help guard against DNS tunneling attacks. You can start with a free account today.

Other (Manual) Precautions

Aside from filtering DNS queries, there are other precautions you can take after implementing a DNS filtering solution. These include:

  • Removing local admin privileges from users
  • Create an “Allow list” of applications that can be installed on the system
  • Installing a Host-based intrusion detection system (IDS)
  • Installing Anti-malware
  • ...and many more host-level protective measures.

DNS tunneling is one of the strategies used for launching Advanced Persistent Threats (APTs) on a victim’s computer. The persistence of this threat makes it more dangerous as it can live undetected on a compromised system for so long exposing it to dangers only limited by the attacker’s malicious mind. 

 

Start protecting your networks today by getting a free trial of DNSFilter. If you need more information about our DNS filtering solution, feel free to book a demo with us.

 

Search
  • There are no suggestions because the search field is empty.
Latest posts
Ensuring CIPA Compliance: A Practical Guide (and checklist) for Educational Leaders Ensuring CIPA Compliance: A Practical Guide (and checklist) for Educational Leaders

The Children's Internet Protection Act (CIPA) is a critical law designed to ensure that students are protected from harmful online content. It requires schools and libraries to implement Internet safety measures, such as filtering and monitoring, to safeguard minors. Compliance with CIPA is essential for institutions seeking E-Rate program discounts for Internet access and internal connections.

The Power of Customer Experience The Power of Customer Experience

Customer experience is the secret sauce that sets successful Managed Service Providers (MSPs) apart from the rest. In a market teeming with competition, you need more than offering the best technology or the lowest prices. It's about how clients feel when they interact with your services. A stellar customer experience can transform a one-time client into a loyal advocate, while a poor one can send them running to your competitors. According to a ...

Enhancing Security for In-Store Wi-Fi: How to make convenience safe for all Enhancing Security for In-Store Wi-Fi: How to make convenience safe for all

As demand grows for constant connectivity to the digital world, offering free Wi-Fi has become as essential for restaurants and retail stores as providing quality products and exceptional service. Customers increasingly expect to stay connected wherever they go, and the availability of Wi-Fi in restaurants, shopping malls, and retail outlets significantly influences their choice of where to dine and shop. For businesses, providing in-store Wi-Fi ...

Explore More Content

Ready to brush up on something new? We've got even more for you to discover.