Need cloud computing? Get started now

What Is DNS Tunneling?

DLS tunneling is a type of cyberattack that allows hackers to bypass network security by using the Domain Name System (DNS) as a transport for malicious traffic. By hiding non-DNS traffic within DNS packets, attackers can often bypass network security measures. Successful DNS tunneling attacks allow hackers to bypass network security, exfiltrate data, control other computers, collect user credentials, or explore a network’s footprint for future attacks.

What are DNS queries and DNS traffic?

DNS is like GPS for the internet. DNS servers translate the human-readable names that users type into a web browser into machine-readable IP addresses — a string of numbers such as 2001:db8:3e8:2a3::b63 — that allow the browser to load the correct site. DNS lets people navigate the web using easy-to-remember domain names rather than keeping track of the IP address for the sites they want to visit.

Several things make DNS an attractive attack vector for hackers. Many applications and services rely on DNS queries, and DNS traffic is widely trusted. DNS protocols were not designed to be secure, but rather to quickly and accurately resolve requests for IP addresses without questioning the credentials or motives of the user or device making the request. In addition to resolving the domain names, DNS queries may also transfer small amounts of data between devices, servers, or systems. Because many organizations do not adequately analyze these packets for malicious activity, domain tunneling can be a highly effective DNS attack vector.

How does DNS tunneling work?

A DNS tunneling attack begins when a user downloads malware to a computer or a hacker successfully exploits a vulnerability in a computer system and installs a malicious payload. Typically, attackers will want to retain control of the device, enabling them to run commands or to transfer data out of the environment. To do this, attackers need to establish a tunnel — a way of sending commands and receiving data from the compromised system while avoiding detection by its network perimeter security measures.

DNS traffic is perfect for this exploit as it typically passes freely through perimeter security measures like firewalls. To create the tunnel, the attacker creates and registers a domain name, and configures an authoritative nameserver under the attacker’s control. When the malware on the victim’s device makes a DNS query for the attacker’s server, the server responds with DNS packets that contain data and commands for the compromised device. In this way, attackers can continuously communicate with the compromised device without setting off any alarms. An attacker may also send data encoded in queries sent to malicious authoritative nameservers.

How do hackers use DNS tunneling?

DNS tunneling enables attackers to perform a variety of malicious activities.

  • Installing malware. Attackers may use DNS tunneling to install malware on additional systems.
  • Collecting credentials. Once they have command and control of a device, attackers can use keyloggers and other methods to collect user credentials that can be used to mount additional attacks or be sold on the dark web.
  • Exploring the network. DNS queries from within an infected network can help attackers build a map of the network, identifying systems and high-value assets.
  • Exfiltrating data. Cybercriminals may use DNS tunneling to transfer data out of the network, including sensitive or confidential user information.
  • Controlling devices. With the ability to control an infected device, attackers can trigger other threats such as DDoS attacks.

Why are DNS tunneling attacks effective?

Many businesses don’t monitor their DNS traffic for malicious activity.

How can DNS tunneling be detected?

Security teams can analyze payloads and traffic for signs of a DNS tunneling attack.

Payload analysis looks at the contents of DNS requests and responses. For example, unusual hostnames, or significant differences between the size of a DNS request and the response, may be a sign of suspicious activity. Payload analysis may also search for unusual character sets, strange information being sent via DNS, DNS record types that are not frequently used, or recurring patterns from source IP addresses sending the most traffic.

Traffic analysis monitors data like the number of requests made, where they originate, the history of domains, and DNS anomalous behavior. IT teams may also analyze the size of packets since DNS tunneling typically generates larger packet sizes.

How can DNS tunneling attacks be prevented?

To prevent DNS tunneling attacks, IT and security teams may follow several cybersecurity best practices.

  • Conduct security awareness training to help employees avoid clicking on malicious links, opening suspicious emails and attachments, or taking other actions that could trigger malware.
  • Implement advanced antivirus and anti-malware technology to help avoid malware installation, which is often the first step in establishing a DNS tunnel.
  • Deploy technology to perform a deep scan of all network traffic — including DNS requests — to uncover DNS tunneling attacks.
  • Monitor DNS tunneling VPN services, such as antivirus programs and other security solutions that use DNS tunneling to fetch signatures but could also be used for illegitimate reasons.
  • Deploy DNS firewalls or DNS tunneling utilities that monitor for suspicious behavior.
  • Adopt advanced threat protection solutions to improve DNS security, block malware, stop data exfiltration, and uncover malicious content embedded within DNS traffic.

Frequently Asked Questions (FAQ)

DNS tunneling is a technique that involves encapsulating non-DNS traffic within DNS packets, often used for covert data transmission.

Detection methods include traffic analysis, anomaly detection, and the use of specialized tools designed to identify abnormal DNS patterns.

While DNS tunneling can have legitimate uses, it is often exploited for malicious purposes, making detection and prevention crucial.

Yes, DNS tunneling can be employed for legal purposes, such as bypassing network restrictions for authorized activities.

Implementing robust network security measures, employing DNS monitoring tools, and staying informed about evolving threats are essential for protection.

Why customers choose Akamai

Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.

Explore all Akamai security solutions