What is DNS Tunneling? - Check Point Software (2024)

Table of Contents
What is DNS? How does DNS Tunneling Work? Detecting DNS Tunneling Attacks How to Protect Against DNS Tunneling

What is DNS?

In simple terms, DNS is the phone directory of the Internet. When browsing the Internet, most users prefer to type in the domain or URL of the website that they want to visit (like https://www.checkpoint.com). However, the Internet’s servers and infrastructure use IP addresses to identify the destination of the traffic and route it there.

See Also
How to Reinstall Microsoft Teredo Tunneling Adapter (MTTA)What Is Network Tunneling & How Is It Used? | Traefik Labs

DNS provides conversions between domain names and IP addresses. It is organized as a hierarchical system with servers for different subdomains. A visitor to the site checkpoint.com would ask a .com DNS server for the IP address of the checkpoint.com DNS server. A second request to this DNS server would then provide the IP address of the server hosting the desired webpage. The user is now able to visit their desired site.

How does DNS Tunneling Work?

DNS is one of the fundamental protocols of the Internet. Without the lookup services that it provides, it would be nearly impossible to find anything on the Internet. To visit a website, you would need to know the exact IP address of the server that is hosting it, which is impossible. As a result, DNS traffic is some of the most trusted traffic on the Internet. Organizations allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.

DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.

DNS tunneling attacks are simple to perform, and numerous DNS tunneling toolkits exist. This makes it possible for even unsophisticated attackers to use this technique to sneak data past an organization’s network security solutions.

Detecting DNS Tunneling Attacks

DNS tunneling involves abuse of the underlying DNS protocol. Instead of using DNS requests and replies to perform legitimate IP address lookups, malware uses it to implement a command and control channel with its handler.

DNS’s flexibility makes it a good choice for data exfiltration; however, it has its limits. Some indicators of DNS tunneling on a network can include:

  • Unusual Domain Requests: DNS tunneling malware encodes data within a requested domain name (like DATA_HERE.baddomain.com). Inspection of the requested domain names within DNS requests may enable an organization to differentiate legitimate traffic from attempted DNS tunneling.
  • Requests for Unusual Domains: DNS tunneling only works if the attacker owns the target domain so that DNS requests go to their DNS server. If an organization is experiencing a sudden surge in requests for an unusual domain, it may indicate DNS tunneling, especially if that domain was only created recently.
  • High DNS Traffic Volume: The domain name within a DNS request has a maximum size (253 characters). This means that an attacker likely will need a large number of malicious DNS requests to perform data exfiltration or implement a highly-interactive command and control protocol. The resulting spike in DNS traffic can be an indicator of DNS tunneling.

All of these factors can be benign on their own. However, if an organization is experiencing several or all of these abnormalities, it may be an indication that DNS tunneling malware is present and active within the network.

How to Protect Against DNS Tunneling

Protecting against DNS tunneling requires an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration. Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic.

Check Point’s next-generation firewalls (NGFWs) provide industry-leading threat detection and network security capabilities. To learn more about Check Point’s solutions and how they can improve your organization’s network security, contact us. You’re also welcome to request a demonstration to see Check Point NGFWs in action.

What is DNS Tunneling? - Check Point Software (2024)
Top Articles
Intraday Trading Using Camarilla
Rabobank Apeldoorn en omgeving
Minooka Channahon Patch
Combat level
Roblox Developers’ Journal
Find The Eagle Hunter High To The East
Find your energy supplier
Goldsboro Daily News Obituaries
Mephisto Summoners War
Classroom 6x: A Game Changer In The Educational Landscape
WWE-Heldin Nikki A.S.H. verzückt Fans und Kollegen
Aspen.sprout Forum
Dr Manish Patel Mooresville Nc
Craigslist Free Stuff Greensboro Nc
Army Oubs
CDL Rostermania 2023-2024 | News, Rumors & Every Confirmed Roster
Ahrefs Koopje
Glenda Mitchell Law Firm: Law Firm Profile
Atdhe Net
Bidevv Evansville In Online Liquid
Foolproof Module 6 Test Answers
Il Speedtest Rcn Net
Sienna
Booknet.com Contract Marriage 2
Account Now Login In
Jersey Shore Subreddit
Mami No 1 Ott
Viduthalai Movie Download
Visit the UK as a Standard Visitor
Dentist That Accept Horizon Nj Health
Pokemmo Level Caps
Strange World Showtimes Near Regal Edwards West Covina
Lehpiht Shop
Frostbite Blaster
Babylon 2022 Showtimes Near Cinemark Downey And Xd
Robeson County Mugshots 2022
20 Best Things to Do in Thousand Oaks, CA - Travel Lens
Banana Republic Rewards Login
Complete List of Orange County Cities + Map (2024) — Orange County Insiders | Tips for locals & visitors
Stewartville Star Obituaries
Rocky Bfb Asset
Az Unblocked Games: Complete with ease | airSlate SignNow
Skyward Cahokia
Xre 00251
CPM Homework Help
17 of the best things to do in Bozeman, Montana
Doelpuntenteller Robert Mühren eindigt op 38: "Afsluiten in stijl toch?"
Rubmaps H
Zom 100 Mbti
Palmyra Authentic Mediterranean Cuisine مطعم أبو سمرة
Latest Posts
Vacation Rental Hosting: How to Clean your Home FAST between AirBNB Guests
How to Prepare Your Home for Airbnb, VRBO, or Other Short-Term Guests
Article information

Author: Neely Ledner

Last Updated:

Views: 6174

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Neely Ledner

Birthday: 1998-06-09

Address: 443 Barrows Terrace, New Jodyberg, CO 57462-5329

Phone: +2433516856029

Job: Central Legal Facilitator

Hobby: Backpacking, Jogging, Magic, Driving, Macrame, Embroidery, Foraging

Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.