Content
DNS tunneling is a technique that abuses the Domain Name System (DNS) to transfer data via DNS queries and responses. It is often used by attackers to sneak network traffic past firewalls or other security measures by manipulating regular DNS queries to include data that is not normally transmitted via DNS.
How does DNS tunneling work?
DNS tunneling works by hiding data that is not normally transmitted over the DNS protocol in DNS queries and responses. Normally, DNS is used to resolve domain names to IP addresses, but with DNS tunneling, the data is embedded in the domain names that are sent in the DNS queries. These requests reach a DNS resolver, which forwards them to an authoritative DNS server that is under the attacker’s control.
The authoritative DNS server recognizes the embedded data and decodes it. In turn, it can insert data into its DNS responses, which are then sent back to the client. This enables two-way communication in which data is transmitted via DNS without being immediately noticeable. This method is often used to bypass firewalls, exfiltrate data from a network, or connect malware to a command and control server. Since DNS traffic is not closely monitored in many networks, this traffic can often go undetected.
What is DNS tunneling used for?
DNS tunneling is mainly used for the following purposes:
Bypassing firewalls and network security measures
DNS tunneling is often used to bypass security measures such as firewalls or content filters. Since DNS traffic is subject to less strict monitoring in many networks, attackers use DNS tunneling to route other protocols (such as HTTP or SSH) via DNS to access the Internet or servers undetected.
Data exfiltration
One of the most dangerous uses of DNS tunneling is data exfiltration, where confidential data (such as passwords, credit card information, or trade secrets) is exfiltrated from a secured network via DNS queries. This can be done without triggering traditional security solutions, as DNS traffic is often considered legitimate.
Command and control (C2) communication
DNS tunneling is often used by malware or botnets to communicate with a command and control (C2) server. This server relays instructions to infected devices on the network, often to download more malware or carry out attacks. It allows attackers to conceal this communication and thus bypass the network’s security measures.
VPN-like connections in restricted networks
DNS tunneling can be used to create a type of VPN in networks that restrict access to certain services or websites. This way, users can connect to blocked websites through DNS tunneling or access the Internet without restrictions, even if certain protocols or ports are blocked.
Detecting DNS tunneling
DNS tunneling can be detected by various anomalies and analysis methods that indicate unusual DNS traffic. An initial indication of such an attack is the length or frequency of DNS requests. Normally, DNS requests are limited in length, as they only contain domain names for IP resolution. However, with DNS tunneling, data is embedded in these requests, causing them to contain unusually long or complex domain names, often with many subdomains.
Another distinguishing feature is a high number of DNS requests sent to the same server within a short period of time. If an unusually high number of DNS requests are recorded, this could indicate that DNS is being misused as a transport mechanism for traffic.
The target servers of DNS queries also provide important clues. In a normal network, DNS queries go to known and trusted DNS servers. Requests to unknown or suspicious DNS servers may indicate that a DNS tunnel has been established to an attacker’s authoritative server that processes the requests.
A particularly strong indicator of DNS tunneling is an unusually high data volume in DNS traffic. DNS queries and responses are usually small because they only perform name resolutions. However, if larger amounts of data are transferred via DNS, this could be a sign that DNS is being used to tunnel other data protocols.
In addition, delayed response times to DNS requests can be an indication of DNS tunneling. Since the requests often transport data that requires additional processing, responses usually take longer.
A detailed analysis of the DNS payloads can also expose DNS tunneling. This involves examining the contents of the DNS requests and responses to search for encoded data, such as Base64 strings. These encodings are used to hide data in the DNS messages and decode them on the attacker’s server.
Contact our experts and find out how your business can be protected with an automated security solution.
How can you protect yourself against it?
To protect yourself against DNS tunneling, various security measures can be taken that include both technical controls and monitoring mechanisms.
Filtering DNS traffic and monitoring
One of the most effective methods of preventing DNS tunneling is to monitor and filter DNS traffic. This can be done with specialized firewalls, intrusion detection systems (IDS) or intrusion prevention systems (IPS) that analyze DNS requests for unusual patterns and anomalies. They can block suspiciously long or frequent requests, as well as DNS requests to unknown or suspicious servers.
DNS whitelisting
DNS whitelisting allows organizations to specify which DNS servers can be used for name resolution, allowing requests to unauthorized DNS servers to be blocked. This prevents DNS tunnels from being established to malicious external DNS servers.
Implement DNSSEC
DNSSEC (Domain Name System Security Extensions) technology adds an authentication layer to DNS transactions to ensure the integrity of DNS data. Although DNSSEC does not directly prevent DNS tunneling, it ensures that DNS responses are authenticated, making it more difficult to inject fake DNS data.
Restricting DNS forwarding
DNS forwarding to external DNS servers should be restricted or disabled. Instead, internal, secure DNS resolvers can be used to ensure that DNS traffic remains within the trusted network and can be better monitored.
Logging and analyzing DNS queries
Logging DNS traffic is another method for detecting suspicious activity. Organizations should regularly review DNS logs for unusual queries or recurring patterns that could indicate DNS tunneling. Detailed analysis of these logs can help detect attacks early on.
Rate limiting for DNS requests
By implementing rate limiting, organizations can limit the number of DNS requests per second per host or IP address. DNS tunneling often requires a large number of requests, so limiting these requests will reduce the effectiveness of such attacks.
Using encrypted DNS (DoH or DoT)
DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypt DNS requests, making it more difficult for attackers to manipulate or read DNS traffic. This provides an additional layer of security against attacks that abuse the DNS protocol.
If you have any questions about effective protection, you can contact us at any time. Our security experts will be happy to answer all your questions about protection options. You may also want to take a look at our Secure DNS to prevent such attacks from succeeding.
Share this post
