DNS Tunneling attack turns the Domain Name System (DNS), a highly trusted and widely used system on the Internet, into a weapon for cybercriminals. This type of attack takes advantage of this protocol and achieves to sneak malicious traffic through the defenses of the organization (victim).
Cybercriminals are using malicious domain names and DNS servers to bypass the protection and complete data exfiltration.
Before we jump into explaining what the DNS tunneling attack is and how it works, let’s talk a little bit more about what DNS is.
Domain Name System – explained
The Domain Name System, or just for short DNS, is a global naming database. Thanks to it, we are able to use the Internet, as we do in the present day. Its purpose is to translate human-readable domain names, such as example.net, into their corresponding machine-friendly IP addresses, such as 184.108.40.206. That way, regular users are not required to remember long and difficult numbers. Instead, people are easily memorizing domain names, and they can use them to reach and explore their favorite news, sports, or another website.
A lot of services rely on the large number of DNS translation queries that appear constantly. For that reason, DNS traffic is widely used and trusted. Due to the fact that DNS was not invented to transfer data packets but only for name resolution was not viewed as a threat to malicious communications and data exfiltration. Yet, DNS is not just a translation instrument for domain names. DNS queries can also transfer tiny portions of data between two devices, systems, and servers. The bad news is that this makes DNS a potential vector for attacks.
Unfortunately, the majority of organizations do not analyze the DNS packets for malicious activity frequently. Instead, they mainly concentrate on analyzing web or email traffic where they consider a possible attack could appear. The truth is that each endpoint should be under detailed monitoring for preventing DNS tunneling attacks.
DNS Tunneling – what do you have to know?
DNS Tunneling attack is a very popular cyber threat because it is very difficult to detect. It is used to route the DNS requests to a server controlled by the attacker and provides them with a covert command and control channel and data exfiltration path.
Typically, DNS tunneling involves data payloads that are added to the target DNS server. Additionally, they are implemented for gaining control of a remote server and applications. Moreover, for the purpose of this attack, the compromised system should be connected to an external network to achieve access to an internal DNS server with network access. Cybercriminals control a server that operates as an authoritative server and a domain name to complete the server-side tunneling and data payload executable programs.
How does it work?
DNS tunneling attack takes advantage of the DNS protocol and achieves tunneling malware or data through a client-server model. Let’s explain how this attack actually works.
It all starts when a user downloads malware or the cybercriminal manages to exploit a vulnerability of the compromised device to transfer a malicious payload. In most cases, the cybercriminal wants to keep a connection with the compromised device, meaning to have the opportunity to run commands on the target device or exfiltrate data. Therefore, the attacker can set a command-and-control (C2) connection. Such traffic should be able to pass via different network perimeter security measures, plus it should avoid detection until it crosses the target network.
For that reason, DNS is a suitable option for setting up the tunnel. That is a common term in cybersecurity which stands for a protocol connection that carries a payload that includes data (commands) and passes through perimeter security measures. That way, the DNS tunneling attack manages to hide information within DNS queries and send them to a server controlled by the cybercriminal. The DNS traffic passes freely through perimeter security measures, such as firewalls. For the purpose of setting the DNS tunnel, the cybercriminal registers a domain name and configures an authoritative name server under their control.
Then the malware or payload on the compromised device initiates a DNS query for a subdomain that defines an encoded communication. The Recursive DNS server (DNS resolver) obtains the DNS query and routes it to the attacker’s server. The server responds with malicious DNS data containing data (command) back to the compromised device. That way, the attack passes without triggering any security measures.
Let’s break the DNS Tunneling attack into the following steps:
- The cybercriminal registers a domain and points it to the server under its control. There is installed tunneling malware software.
- The cybercriminal infects a device with malware, penetrating the victim’s firewall. DNS requests don’t have restrictions for passing in and out of the firewall.
- The Recursive DNS server (DNS resolver) requests the IP address through root and top-level domain servers.
- Then the DNS resolver routes the DNS query back to the authoritative DNS server, which is controlled by the attacker and contains the tunneling software.
- The connection between the cybercriminal and the target is created without any notice.
Detecting DNS Tunneling
There are several techniques that can help you detect a DNS tunneling attack. However, we can distinguish them into two main categories – payload analysis and traffic analysis.
Payload analysis – The DNS payload for one or more requests and responses is going to be examined for tunnel signs.
- Examining the size of the request and answer. Typically, DNS tunneling utilities are pushing to place as much data into the requests and answers as possible. Therefore, the tunneling requests are more likely to have long labels. For instance, there are up to 63 symbols and, in general, long names – up to 255 symbols.
- Disorder of hostnames. DNS names that are authentic commonly contain dictionary words and have some kind of meaning. Names that are encoded are usually out of any order, plus they are even using a set with more characters.
- Statistical Examination. You can detect tunneling by checking the specific character staff of the DNS names. DNS names that are authentic commonly contain fewer numbers. On the other hand, encoded names tend to have a lot of numbers. Examining the percentage of numerical characters in domain names and examining the percentage of the length of the Longest Meaningful Substring (LMS) could also help you.
- Uncommon DNS Record Types. You can check for DNS records that are not usually implemented by a regular client. For example, you can examine the TXT records.
- Violating a policy. In case a policy directs every DNS lookup to pass through an internal DNS server, violations of that policy may be employed as a detection technique.
- Special Signatures. You can use a special signature to examine precise attributes in a DNS header. Then scan for particular content in the payload.
Traffic analysis – The traffic is under examination over time.
- Volume of DNS traffic per IP address. A simple and easy to accomplish technique is to check the specific amount of DNS traffic that is coming from a particular client IP address.
- Volume of DNS traffic per domain. Another method that is very easy and basic is by checking for massive amounts of traffic towards a precise domain name. DNS tunnel utilities are typically established to tunnel the data by involving a precise domain name. Therefore, all of the tunneled traffic is going to be that exact domain name.
- The number of hostnames per domain. DNS tunneling utilities ask for an individual hostname on every request. That effects by increasing the number unusually compared to a normal authentic domain name.
- Geographic location of DNS server. You can check for a massive amount of DNS traffic that is directed to geographical areas where you don’t offer your services or products.
- The history of a domain. You can examine when an A record (AAAA record) or NS record was created and added to a domain name. That technique is very useful for detecting domain names that are utilized for malicious criminal actions.
Source: GIAC Certifications
Protection against DNS Tunneling attacks
DNS is a crucial service, so it is going to be a problem if you are considering blocking it. Thus, protection against a DNS Tunneling attack involves several actions that are going to help you prevent such an attack.
- You should keep a closer look and track of questionable IP addresses and domain names that are from non familiar sources.
- You can set all of the internal clients to direct their DNS requests (DNS queries) to an internal DNS server. That way, you can filter potential malicious domains.
- It is very important to stay watchful for any suspicious domain names, and it is best if you always monitor the DNS traffic. That will help reduce the chance for a DNS tunneling attack to appear.
- Establish a DNS firewall for recognizing and stopping any hacker intrusion.
- A real-time DNS solution that is able to detect uncommon DNS queries and unusual traffic patterns on the DNS server is another excellent option.
DNS tunneling is a severe cyber threat. It could lead to massive negative consequences. This is because the cybercriminal uses the tunnel for malicious ends, like exfiltrating information. In addition, there is no direct association between the cybercriminal and the target. That makes it hard to detect the attacker’s attempt.