Sign Up Login
Resource Center  >  Blog

DNS Tunneling: How it Works, Detection and Prevention

What Is DNS Tunneling?

DNS tunneling is a DNS attack technique that involves encoding the information of other protocols or programs in DNS queries and responses. DNS tunneling generally features data payloads which can latch onto a target DNS server, allowing the attacker to manage applications and the remote server. 

DNS tunneling tends to rely on the external network connectivity of the compromised system—DNS tunneling needs a way into an internal DNS server that has network access. Attackers also have to control a server and a domain that may function as an authoritative server to carry out data payload executable programs and server-side tunneling. 

In this article:

Impact of DNS Tunneling

DNS was first created for name resolution rather than for data exchange, thus it’s often not viewed as a risk for data exfiltration or malicious interchanges of information. Most organizations focus their security efforts on web and email traffic, as they see this as a regular source of attacks. As a result, DNS is often overlooked. 

DNS is a confided and entrenched protocol, so cybercriminals can take advantage of the fact that many organizations don’t often investigate DNS packets for malevolent behavior. 

Aside from this, tunneling application bundles are now an industry and are widely accessible via the internet. An attacker doesn’t need to be particularly sophisticated to carry out DNS tunneling exploits.

The threats posed by DNS tunneling exploits include:

  • DNS tunneling exploits may provide attackers with an accessible backchannel to exfiltrate stolen information. DNS provides a covert means of correspondence to bypass firewalls.
  • Cybercriminals tunnel different sorts of protocols, such as HTTP or SSH, with DNS, which allow them to covertly pass stolen data or pass IP traffic. 
  • The DNS tunnel may be used as a full controller channel for an inside host that has already been exploited. This allows cybercriminals to download code to malware, secretly take records out from the organization, or have complete distant entry to the servers, and more.
  • DNS tunnels can also be used to sidestep captive portals, so they don’t need to pay for wi-fi services.
  • DNS tunneling uses the DNS protocol to tunnel information and malware via a client-server model.

Typical abuse cases include:

  • Data exfiltration—cybercriminals extract sensitive information over DNS. This is not the most effective approach to obtaining data from a victim’s PC, given all the additional encoding and overheads, but it does work.
  • Command and control (C2)—cybercriminals utilize the DNS protocol to dispatch simple commands to, for example, install a remote access trojan (RAT).
  • IP-over-DNS tunneling—some utilities may have actualized the IP stack via the DNS inquiry reaction convention. These make malicious movements simpler.

How DNS Tunneling Works

DNS tunneling makes use of the DNS protocol for tunneling malware and different data via a client-server model. This typically involves the following steps:

  1. The cybercriminal registers a domain, for example malsite.com. The domain’s name server directs to the cybercriminal’s server, where the tunneling malware software is installed. 
  2. The cybercriminal infects a computer with malware, which penetrates the organization’s firewall. DNS requests are always permitted to move in and out of the firewall, so the infected computer is permitted to send queries to the DNS resolver. The DNS resolver then sends requests for IP addresses to top-level and root domain servers. 
  3. The DNS resolver routes queries to the cybercriminal’s server, where the tunneling program is implemented. A connection is thus created between the cybercriminal and the victim via the DNS resolver. The attacker can use this tunnel for malicious ends, such as exfiltrating information. There is no direct connection between the cybercriminal and the victim, so it is harder to trace the cybercriminal’s computer.  

Identifying DNS Tunneling Attacks

DNS tunneling is the misuse of the DNS protocol. Rather than utilizing DNS replies and requests to carry out valid IP address searches, malware can hijack the DNS to put in place a control and command channel via its executor. 

The flexibility of DNS makes it a suitable option for data exfiltration, though it is also limited. Some indications of DNS tunneling on a network may include: 

  • Atypical domain requests—DNS tunneling malware encodes information inside a requested domain name. Examination of these domain names in DNS requests could let an organization tell the difference between legitimate traffic and possible DNS tunneling. 
  • Requests for unusual domains—DNS tunneling is only successful if the cybercriminal possesses the target domain so DNS requests travel to their DNS server. If an organization is noticing a sudden increase in requests about an uncommon domain, it could point to DNS tunneling.
  • High DNS traffic volume—the domain name in a DNS request comes with a topmost size (253 characters), so cybercriminals usually need many malicious DNS requests to carry out data exfiltration or to put in place an interactive command and control rule. The subsequent increase in DNS traffic may point towards DNS tunneling.

These points may be harmless on their own, but if you notice multiple abnormalities, this could indicate the presence of DNS tunneling malware in your network.   

Preventing DNS Tunneling Attacks

Employing a DNS filtering system to sift through your DNS requests is one tried and tested way to help stop DNS tunneling attempts. 

DNS tunneling relies on DNS queries to form a malicious association with the cybercriminal’s computer. Thus, if you can monitor, detect and block malicious queries, this is highly effective in preventing these sorts of attacks. 

An effective DNS filtering system should include: 

  • Identification of phishing attacks that could result in the installation of malware
  • Detection of Domain Generation ALgorithms (DGAs) employed by cybercriminals to produce random domains for attacks
  • Identification and notification of atypical DNS traffic patterns 
  • Comparison of each DNS request against a blacklist of identified malicious domains

You can take further measures once you’ve implemented a DNS filtering solution, such as: 

  • Revoke local administrative privileges from users
  • Establish a whitelist of applications that may be installed on the system
  • Install a host-based Intrusion Detection System (IDS)
  • Install anti-malware

DNS Tunneling Protection with Bright

Bright has been built from the ground up with a dev first approach to test your web applications and APIs for hundreds of vulnerabilities.

Bright complements DevOps and CI/CD processes, empowering developers to detect and fix vulnerabilities on every build. It reduces the reliance on manual testing by leveraging multiple discovery methods:

  • HAR files
  • OpenAPI (Swagger) files
  • Postman Collections

Register for a Free Bright account and prevent DNS tunneling attacks on your applications.

Publication:
October 11, 2021
Writer:
Admir Dizdar
Related Articles:
Category:
Resources
Company
Legal
Get Started
Testing variance Using Legacy Dast Using Dev-Centric Dast
% of orgs knowingly pushing vulnerable apps & APIs to prod 86% 50%
Time to remediate >Med vulns in prod 280 days <150 days
% of > Med vulns detected in CI, or earlier <5% ~55%
Dev time spent remediating vulns - Up to 60x faster
Happiness level of Engineering & AppSec teams - Significantly improved
Average cost of Data Breach (US) $7.86M $7.86M