Domain name system, or DNS, is the protocol that translates human-friendly URLs, such as paloaltonetworks.com, into machine-friendly IP addresses, such as 199.167.52.137.
DNS is a critical and foundational protocol of the internet. It is often described as the “phonebook of the internet” because it maps domain names to IP addresses (and much more as described in the core RFCs for the protocol).
DNS’ ubiquity (and frequent lack of scrutiny) can enable elegant and subtle methods for communicating and sharing data beyond the protocol’s intentions. Unsurprisingly, cybercriminals know that DNS is widely used and trusted, which makes DNS security solutions important.
Furthermore, because DNS is not intended for data exfiltration, many organizations don’t monitor their DNS traffic for malicious activity. As a result, a number of types of DNS-based attacks can be effective if launched against company networks. DNS tunneling is one such attack.
How DNS Tunneling Works
DNS tunneling attacks exploit the DNS protocol to tunnel malware and other data through a client-server model.
- The attacker registers a domain, such as badsite.com. The domain’s name server points to the attacker’s server, where a tunneling malware program is installed.
- The attacker infects a computer, which often sits behind a company’s firewall, with malware. Because DNS requests are always allowed to move in and out of the firewall, the infected computer is allowed to send a query to the DNS resolver. The DNS resolver is a server that relays requests for IP addresses to root and top-level domain servers.
- The DNS resolver routes the query to the attacker’s command-and-control server, where the tunneling program is installed. A connection is now established between the victim and the attacker through the DNS resolver. This tunnel can be used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and victim, it is more difficult to trace the attacker’s computer.
DNS tunneling has been around for almost 20 years. Both the Morto and Feederbot malware have been used for DNS tunneling. Recent tunneling attacks include those from the threat group DarkHydrus, which targeted government entities in the Middle East in 2018, and OilRig, which has been operating since 2016 and is still active.
Preventing DNS Tunneling
DNS is a very powerful tool used almost everywhere, allowing applications and systems to look up resources and services with which to interact. DNS provides a communication foundation enabling higher level and more powerful protocols to function but can mean it’s overlooked from a security point of view, especially when you consider how much malware is delivered via email protocols or downloaded from the web using HTTP.
For these reasons, DNS is the perfect choice for adversaries who seek an always-open, overlooked and underestimated protocol to leverage for communications from and to compromised hosts.
Organizations can defend themselves against DNS tunneling in many different ways, whether using Palo Alto Networks Network Security Platform or open source technology. Defense can take many different forms, such as but not limited to, the following:
- Blocking domain-names (or IPs or geolocation regions) based on known reputation or perceived danger.
- Rules around “strange looking” DNS query strings.
- Rules around the length, type or size of both outbound and inbound DNS queries.
- General hardening of the client operating systems and understanding the name resolution capabilities as well as their specific search order.
- User and/or system behavior analytics that automatically spot anomalies, such as new domains being accessed especially when the method of access and frequency are abnormal.
- Palo Alto Networks recently introduced a new DNS security service focused on blocking access to malicious domain names.
DNS Security Best Practices
- Train and educate your security staff
Implement a security education and awareness program to train your staff to identify malicious threats. Encourage them to take precautions when following links to avoid installing malware. Phishing training can help them learn to recognize, avoid and report email-based attacks. - Implement a threat intel program
Understand the threat landscape and set up a threat intelligence program to be aware of the different types of threats and techniques attackers are using today. With this knowledge, you can ensure you have the right technology stack to keep your network safe. - Learn what DNS data can tell you
Don’t just look at DNS traffic. Collecting DNS data logs has little value unless you understand what you’re looking at. By understanding the data, you can successfully prevent your organization from never-before-seen, DNS-layer threats. - Don’t delay on a DNS resolver
If a DNS server is compromised, it may feed you false responses meant to direct your traffic to other compromised systems or enable a man-in-the-middle attack. - Plan for the risk of remote work
Develop a strategy for your remote workforce as they can put sensitive company data at risk. Warn them against using unsecured, free or public Wi-Fi as adversaries can easily put themselves between employees and the connection point. Integrate multifactor authentication and prepare for the risk of devices being lost or stolen. - Approach network security holistically
Take a holistic approach to network security and ensure you have the right capabilities that can address various threat vectors in your network and be easily integrated within your entire security stack. When evaluating vendor solutions, it’s important to make direct comparisons in proofs of concept. Every environment is different, and independent vendor-neutral testing for DNS-layer security has not yet been established. - Automate responses and not just alerts
To successfully protect your organization, you need automated responses and not just alerts. The speed at which threats are carried out makes alerts and signals ineffective. By the time a threat has been identified, it may already be too late. Your security team needs to be able to automatically determine threats and quarantine potentially infected systems before more damage is done. In order to ensure your organization is following best practices and optimizing Palo Alto Networks DNS Security service, take a Best Practice Assessment.
How do you stop attackers from using DNS against you? Read our whitepaper to learn the steps you can take to stop DNS attacks.
DNS Tunneling FAQs
DNS tunneling works by encoding data from other protocols or applications within DNS queries and responses. Attackers exploit the DNS protocol to bypass network security measures. They create a tunnel between a compromised device and a malicious server by embedding command and control (C2) instructions or data exfiltration payloads within the DNS traffic. This allows them to communicate with and control infected systems without being detected.
Common signs of a DNS tunneling attack include:
- Unusual DNS query patterns or volumes.
- Queries to suspicious or rarely used domains.
- High frequency of DNS TXT record requests.
- Unexpected or irregular DNS traffic to external servers.
- Degraded network performance due to increased DNS traffic.
The risks associated with DNS tunneling include data breaches, unauthorized access to sensitive information, loss of intellectual property, and the potential for further exploitation of compromised systems. DNS tunneling can be used for data exfiltration, command and control (C2) communication, and malware distribution, posing significant threats to an organization’s security and operations.
Organizations can detect and prevent DNS tunneling attacks by:
- Implementing advanced DNS traffic analysis and monitoring tools.
- Using threat intelligence to identify and block known malicious domains.
- Configuring DNS security extensions (DNSSEC) to ensure the authenticity of DNS data.
- Applying network segmentation and access controls to limit the spread of potential threats.
- Educating employees about the risks and signs of DNS tunneling attacks.
Attackers use DNS tunneling because it leverages the DNS protocol, often allowed through firewalls and security measures due to its essential role in network operations. By embedding malicious data within DNS queries and responses, attackers can stealthily bypass traditional security defenses, maintain persistence within a target network, and exfiltrate data or receive commands without raising immediate suspicion.
