Need cloud computing? Get started now

What Is DNS Data Exfiltration?

What is DNS data exfiltration?

DNS data exfiltration is a method used by hackers to steal data from an IT system or network by exploiting the Domain Name System (DNS) protocol. In a data exfiltration attack, hackers remove confidential or sensitive data from inside a protected IT environment by embedding it within DNS packets. Since DNS traffic is generally allowed through firewalls and security systems, the malicious data in DNS packets has a high chance of leaving the organization without triggering security alerts. DNS data exfiltration is often one outcome of DNS tunneling attacks. 

What is DNS?

DNS is responsible for translating human-readable domain names like website.com into IP addresses such as 2001:db8:3e8:2a3::b63 that are readable by computers. When a user enters a domain name into a web browser, recursive DNS servers or resolvers search for the corresponding IP address by communicating with other nameservers, including root nameservers, top-level domain (TLD) servers, and authoritative nameservers. Alternatively, DNS servers may provide the IP address records from previous DNS responses that have been stored in their cache memory. These communications and DNS requests are commonly allowed through firewalls and are not subject to strict monitoring, making them an ideal attack vector for cybercriminals seeking to smuggle data out of an IT network.

How does DNS data exfiltration work?

In a DNS data exfiltration attack, a hacker first installs malware on a compromised network or system. This may be accomplished by getting a user inside the network to click on a link or visit a website containing malware that’s then downloaded to their machine. Hackers may also breach a network with stolen credentials and install malware within the environment to take control of the infected device, making it a command and control server.

Attackers then use the DNS protocol to embed data within packets in DNS queries (e.g., encodedstringofdata.attacker.example.com) that resolve to a domain nameserver the attacker owns. The DNS queries containing stolen data pass undiscovered through firewalls and security systems to the attacker’s authoritative nameserver, where the exfiltrated data is decoded and the transfer is complete.

How is stolen data embedded in DNS traffic?

Attackers use several techniques to exfiltrate data via DNS. Attackers may hide sensitive information by encoding it and including it in a subdomain name or resource record data. They may also encapsulate data within DNS packets by splitting information into smaller chunks and sending them over multiple DNS queries and responses. They may embed the data by altering the query ID or modifying DNS packet headers, which the attacker’s server will recognize, and extract or decode the exfiltrated data from the altered DNS traffic.

What is low-throughput data exfiltration?

Low-throughput data exfiltration refers to exfiltration that occurs at a very slow rate to evade detection by network security products. Other forms of DNS attacks like DNS tunneling are often high-throughput incidents, causing a significant change in DNS traffic volumes that can alert security systems to the presence of an attack. In low-throughput data exfiltration, there is no significant spike in traffic volumes since an infected system or endpoint may only send a DNS request once an hour. That makes this particular form of exfiltration over DNS extremely difficult to detect.

How can DNS data exfiltration be prevented?

IT teams can prevent exfiltration of data by following several cybersecurity best practices.

  • Adopt a DNS security solution. DNS security solutions use data exfiltration detection algorithms to continually monitor traffic and analyze DNS traffic logs in search of anomalous patterns or indicators of compromise.
  • Ensure firewalls and proxies are correctly configured. Firewalls and proxies should be configured to restrict outbound DNS traffic and prevent unauthorized connections to external DNS servers.
  • Enable rate limiting. Limiting the response rate on DNS servers can mitigate the impact of DNS floods and amplification attacks, which hackers often use to distract attention away from their data exfiltration efforts.
  • Deploy DNS firewalls. DNS firewall solutions inspect DNS traffic in real time and leverage threat intelligence to block malicious requests and data exfiltration.
  • Optimize patching cadences. Keeping DNS servers and software up to date, and regularly applying patches, can remediate vulnerabilities that attackers may exploit as they seek to gain access and exfiltrate data.
  • Implement security awareness training. Since human error is one of the most common contributors to successful cyberattacks, security awareness training can help employees avoid the kinds of actions that enable attackers to breach defenses and establish DNS data exfiltration campaigns.

Frequently Asked Questions (FAQ)

Cybercriminals often target sensitive data, such as financial records, customer information, and intellectual property.

While it’s challenging to prevent all attempts, proactive measures can significantly reduce the risk.

Yes, small businesses are not immune. Cybercriminals often target smaller entities due to their relatively weaker security measures.

Consult with cybersecurity experts or vendors specializing in DNS security to find the most suitable solution.

Yes, several high-profile breaches have occurred in recent years, highlighting the severity of this threat.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions