Prevent DNS Tunneling Attacks

Domain Name System (DNS) tunneling is a technique hackers use to bypass network security and covertly transmit data by storing it inside Domain Name System (DNS) packets.

The DNS — a framework that resolves domain names to IP addresses to facilitate internet communications — is the phonebook of the internet. Any time you type a URL into your browser, the computer queries a DNS server which then searches for the associated IP address and distributes the data back to your machine.

In a DNS tunneling attack, bad actors exploit this process to transmit data that isn’t typically sent through DNS queries or responses — like command and control communications, file transfers, and exfiltrated data. By hiding data in specially designed DNS packets, hackers can get sensitive information to pass through firewalls and security systems, since DNS traffic isn’t always thoroughly inspected.

Most of the time, DNS is very efficient and works as designed. But it also has a massive security vulnerability: DNS queries and responses can be manipulated and used to carry out cyberattacks. If you’re wondering how threat actors launch DNS tunneling attacks, here’s how it works. 

1. Register a malicious website 

First, the threat actor sets up a malicious domain or subdomain. In some cases, sophisticated cybercriminals also create legitimate-looking websites to mask their activity. Once the website is up and running, the hacker installs DNS tunneling programs to launch attacks when ready.

2. Infect a computer or endpoint

To launch a DNS tunneling attack, threat actors must find a way to infect the target machine (e.g., a laptop or IoT device) inside the company’s network with malware. Threat actors may accomplish this using a variety of mechanisms. Some methods include sending compromised systems to the company’s facility, directing unsuspecting users to infected websites, or spreading tunneling malware via email.

3. Connect to the computer 

Once the hacker infects the target computer, that device can send queries to the DNS server or DNS resolver the hacker controls. The attacker’s server then issues IP address requests to the target’s top-level domain servers.

4. Pass malicious code

At this point, the DNS resolver sends the computer’s query to the command-and-control (C2) server, which contains a tunneling program. This creates a control channel between the attacker and victim and makes it possible to steal data and perform other activities without the target knowing.

During a DNS attack, threat actors typically aim to create covert communication channels between their private servers and the target network. Doing this allows them to silently lift information without the host knowing an attack is happening.

After establishing a DNS tunnel, hackers can opt to carry out several different types of DNS tunneling attacks:

• DNS data exfiltration uses DNS queries or responses to transfer sensitive data out of a compromised network. The attacker hides data in DNS traffic and covertly distributes it to a private server they control. This type of attack takes place over time, allowing threat actors to easily lift large volumes of data without being detected.

• DNS command and control (C2) uses DNS channels to establish communication between malware and its C2 server. The attacker first installs malware on the target system and communicates with it via DNS traffic.

• DNS domain generation algorithms (DGA) generate and resolve pseudo-random domain names to evade detection and control infected systems. Threat actors use DGAs to create new domain names and evade security blacklists and monitoring services.

• DNS covert channels encapsulate unauthorized communication within DNS traffic to bypass network security measures. DNS covert channels allow threat actors to engage in C2 communication and data exfiltration.

• DNS tunneling over HTTPS involves encapsulating DNS traffic within HTTPS connections to bypass network filters and steal data. When running DNS traffic over HTTPS, communication appears as standard HTTPS traffic and becomes very difficult for security researchers to detect.

• Policy bypass happens when a threat actor creates an Internet Protocol version 4 (IPv4) tunnel by exploiting systems with outbound IP traffic. The threat actor worms into the network, avoiding Wi-Fi security controls and firewalls.

DNS attacks are complicated to detect since they use encryption and encapsulation to disguise harmful payloads as normal traffic. In addition, DNS tunneling uses a covert communication channel inside DNS traffic, making it harder to detect. Threat actors may also use advanced techniques to evade detection mechanisms like randomizing DNS requests or using DNS tunneling over encrypted channels.

Despite this, there are some techniques organizations can use to scan for DNS tunneling attacks, like:

• Monitoring DNS traffic for unusual patterns or abnormally large query/response sizes. DNS queries and responses have size limits. If you notice large query or response sizes that exceed the standard limits during payload analysis, it could indicate that a DNS tunneling attack is occurring.

• Analyzing DNS logs for suspicious domain names or repeat queries to uncommon domains. For example, if you see a lot of domain names containing spelling errors or closely resembling legitimate sites, that traffic may be malicious. 

• Using network monitoring tools and tunneling toolkits to identify anomalies in DNS traffic, like a high volume of requests or unusual DNS query types. DNS monitoring tools analyze packets moving between DNS servers and clients, which can make it easier to identify malicious activity.

• Implementing DNS monitoring and anomaly detection systems to detect abnormal DNS behavior. DNS monitors continuously analyze DNS traffic and help establish a baseline level of normal DNS activity.

• Reviewing and analyzing DNS traffic regularly to identify potential signs of data exfiltration or covert communication. Routinely inspect query and response data to detect signs of suspicious activity. While you’re at it, integrate DNS traffic with real-time threat intelligence systems to flag issues as they occur.

DNS attacks don’t receive much media attention as high-profile ransomware or denial-of-service (DoS) attacks. However, they are still a persistent threat — something all businesses must be aware of. To better understand what such attacks look like in the real world, let’s examine a few examples of DNS tunneling.

• Decoy Dog Recently, security researchers discovered a sophisticated malware toolkit called Decoy Dog that’s actively targeting enterprise networks. One of its main components is Pupy RAT, an open-source trojan that threat actors deliver through DNS tunneling and use to launch other attacks.

• B1txor20 In 2022, cybersecurity researchers discovered a type of malware called B1txor20 that targets Linux systems and exploits the notorious Log4j vulnerability. This malware uses DNS tunneling to communicate with the C2 server, exfiltrate data, and execute commands.

• Cobalt Strike Many ransomware actors now use the Cobalt Strike framework to distribute payloads through DNS responses. DNS tunneling is one of the most popular trends in ransomware attacks because it provides easy entry for cybercriminals and enables them to silently launch attacks and assume command of target systems. • xHunt In the infamous xHunt campaign, threat actors successfully compromised a Microsoft Exchange server at a Kuwait-based company. The hackers deployed two PowerShell scripts to gain backdoor access and set up a DNS tunneling channel to run commands on the captured server. This particular campaign disrupted critical infrastructure and led to the compromise of sensitive information.

According to a recent report from IDC, 88% of organizations experienced a DNS attack in 2022, and 28% of those attacks involved DNS tunneling — an increase of 4% from 2021. What’s more, 73% of organizations say DNS security is critical for their business. 

While it isn’t always possible to prevent DNS tunneling attacks from making their way into your network, there are steps you can take to bolster your defenses.

1. DNS monitoring services

DNS monitoring services actively analyze DNS traffic in real time to identify anomalies, query patterns, and response times. These services help to discover key patterns that can reveal DNS tunneling attacks. It’s possible to further protect your network by linking DNS monitoring services to other security services — like intrusion detection systems (IDS) and security information and event monitoring (SIEM) platforms. 

2. Implement a ZTNA solution 

As the name suggests, a zero-trust network access (ZTNA) strategy involves treating all users and identities as potential threats. ZTNA requires authenticating and authorizing all users before providing network access. As a result, it reduces your attack surface and makes it harder for threat actors to use DNS tunneling to access private information.

3. Set up traffic analysis and firewall rules

Traffic analysis involves studying network traffic data to discover insights and patterns, while firewall rules govern how traffic flows across the network. Using these strategies together can help identify DNS tunneling and block queries that align with known DNS tunneling behavior. For example, an organization can strategically block certain domain names, IPs, or regions.

4. Track behavior analytics 

By studying user and system behavior analytics with real-time and historical monitoring tools, you can automatically spot anomalies that could indicate an incoming DNS tunnel attack. For example, this may include accessing new or suspicious domains or accessing specific domains with greater frequency.

5. Hunt for threats 

Threat hunting — which involves analyzing network DNS logs and using threat intelligence to uncover DNS tunneling activities — can help prevent DNS tunneling by uncovering intruders inside of the network. By prioritizing threat hunting, organizations can potentially eliminate threats before they strike. As an added bonus, threat hunting also helps address vulnerabilities and prevent future attacks.