DNS is a critical and foundational protocol of the internet and it is often described as the 'Phonebook of the internet'. The primary purpose of DNS is to mapping domain names to IP addresses. DNS will translates human-friendly URLs, such as www.firstlook.com, into machine-friendly IP addresses, such as 192.167.82.137. Without DNS, it would be nearly impossible for us to find anything on internet. Right?
Your organization allows DNS Traffic to pass through their firewall (both inbound and outbound) because it is necessary for your internal employees to visit external sites and for external users to find your website(s). So does all organisations...
-
What Is DNS Tunneling?
Experts call it the most damaging of DNS attacks.
DNS uses UDP on Port 53 which is nearly always open on systems, firewalls, and clients to transmit DNS queries. This protocol has no inbuilt security aspect to it.
All cybercriminals know that DNS is used and trusted everywhere. An IT professional would know that-- because DNS is not intended for data transfer, many organizations don’t monitor their DNS traffic for malicious activity. As a result of this, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunneling is one such attack.
DNS tunneling attacks abuse this protocol to sneak malicious traffic past your organization’s defenses. By using malicious domains and DNS servers, an attacker can use DNS to evade your network defenses and perform data exfiltration.
Attackers can create covert channels over DNS for the purposes of hiding communication or bypassing policies put in place by your network administrators.
In DNS tunneling, attackers take advantage of this fact by using DNS requests to implement a command and control (C&C) channel for malware. Inbound DNS traffic can bring commands to the malware, while outbound traffic can exfiltrate your sensitive data or provide responses to the malware operator’s requests.
Suppose hackers are in control of the DNS server. Then they can scoop up the data from your database too, e.g., name, address, phone, mobile, email or your customers, their social security numbers, Credit Card number; employees usernames and passwords, or virtually any info, without necessarily being spotted.
-
How Does DNS Tunneling Happen?
The general modus operandi of a DNS Tunnel attack would be like this:
-
The attackers register a domain, such as firstlook.com. The domain’s name server points to the attackers' server, where a tunneling malware program is installed.
-
Then attackers would infect computers with malware. Mostly these computers would be behind your company’s firewall. Since DNS requests are always allowed to move in and out of the firewall, the infected computers are allowed to send a query to the DNS resolver. The DNS resolver is a server that relays requests for IP addresses to root-server and top-level domain servers.
-
The DNS resolver routes the query to the attackers' command-and-control (C&C) server, where the tunneling program is installed. A connection is now established between the victim-machine and the attacker through the DNS resolver. This tunnel can be conveniently used to exfiltrate your data or for other malicious purposes. Because there is no direct connection between the attacker and victim-machine, it is more difficult to trace the attackers' computer.
-
Observe The Grave Danger Here
The “tunneling” part of this attack is basically about obscuring the data and commands to avoid detection by monitoring software. Hackers can use base32, base64 or other character sets, or even encrypt the data. This encoding would get past simple detection software, if that is searching on plaintext patterns.
The most notorious Solarwinds SUNBRUST attack of 2020 also had the DNS Tunneling aspects to it, which gave access to the networks of 18,000+ companies and organizations' networks to the unknown hacker-group.
-
How Can You Detect DNS Tunneling?
There are two general methods to detect DNS misuse:
1. Payload analysis
With payload analysis defenders are looking at unusual data being sent back and forth: strange-looking hostnames, a DNS record type that’s not used all that often, and unusual character sets that can be spotted by statistical techniques.
2. Traffic analysis
In a traffic analysis, defenders are looking at the number of requests to a DNS domain and comparing it against average usage. Hackers who are performing DNS tunneling will create very heavy traffic to the server. In theory, much greater than a normal DNS exchange. And that should be detectable!
Protecting against DNS tunneling requires that you deploy an advanced network threat prevention system (NIPS) capable of detecting and blocking this attempted data exfiltration. Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic. We would expect modern NGFWs to do this job for us...
Still you must go and ask your security professionals about how they are filtering the in-bound and out-bound DNS traffic...
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM