What is DNS Tunneling?

By Staff Reporter , Dec 30, 2019 03:07 PM EST
(Photo : Pixabay)

Cybersecurity is a growing concern for businesses of all sizes. There's a lot to learn about all things cybersecurity, and most businesses, even very small ones, outsource their network management and security planning. 

Regardless of whether or not you directly implement security solutions, you should still have a general idea of what the threats are and how to protect against them. 

One type of threat is called DNS tunneling. DNS stands for domain name system. It's often grouped in with dynamic host configuration protocol (DHCP) and IP address management (IPAM) for automated security purposes. These together are referred to as DDI in networking

The domain name system translates URLs into IP addresses. A domain name system is one of many points of entry a cyber attacker may use to gain access to a network, and the following are key things to know about what's referred to as DNS tunneling. 

An Overview of DNS Tunneling

A DNS server is a link to an IP address, and tunneling is an attempt on the part of a hacker to seize the protocol. Hackers use DNS tunneling to own a network, and it's not a new concept. Certain relatively well-known types of malware including Feederbot and Morto, have been used for DNS tunneling. 

With tunneling, a hacker will take the DNS pathway, which is established, and use it as a way to gain information about the company for malicious reasons. Often, email addresses are the source of data breaching seen with DNS tunneling. 

The reason DNS tunneling is popular among hackers and cybercriminals is that DNS is very frequently used and is widely trusted. Also, DNS isn't meant as a way to transfer data, so it's a point of weakness for a lot of organizations because they don't monitor the traffic or activity. 

How Does DNS Tunneling Work?

With a DNS tunneling attack, there is an exploitation of the DNS protocol with the objective of tunneling malware and data through the client-server model.

So what could happen is this-a cyber attacker registers a domain, and the domain name server directs to the server of the attacker. This is where tunneling malware is installed. 

The attacker infects a computer, which is very often behind a firewall, with malware. 

Since DNS requests can always go in and out of a firewall, the infected computer sends the query to the DNS resolver. A connection is established through this DNS resolver, and the tunnel is a way to remove data. It's tough to track this kind of cyber-attack because there isn't a direct connection between an attacker and a victim. 

There are two ways DNS tunneling attacks might be detected. One is payload analysis. With this option, defenders look at unusual data that's being transmitted. For example, this might include a different character or a DNS record type not frequently used. 

Another way to detect this type of attack is traffic analysis. With this option, defenders look at how many requests are going to a DNS domain and then compare that to the average data usage figures. 

When a hacker is in the midst of a DNS tunneling attack, it causes heavy server traffic. 

There are other similar ways to use protocols for tunneling.

For example, Command and Control malware, HTTP might be used as a way to disguise communications. In this situation, the data looks like browser traffic to a remote hacker-controlled website. 

Pretty much any confidential information can be the target of this type of breach. 

Information used in identity theft including Social Security numbers and health care data may be targeted, and financial information can be a target also. 

Protecting Your Organization

As was mentioned, DNS is often left unmonitored and unsecured, which is why DNS tunneling occurs so frequently. 

The right tools need to be selected to prevent DNS tunneling and detect it quickly if it is occurring. For example, the tool needs to look at complex data extraction that may be happening, and also attacks that stem from pre-configured packages. 

A DNS firewall can be a way to identify possible intrusions, and a DNS security solution needs to offer real-time analytics. 

A DNS security tool should have the functionality to blacklist certain destinations, and of course, automation is essential to detect any strange patterns because human monitoring just isn't as efficient or comprehensive. DNS protection should be part of a larger DNS infrastructure and network architecture. 

The most important takeaway here is the DNS is a point of weakness often exploited and organizations need to be aware, so they can take the necessary steps to prevent it. 

© 2020 ITECHPOST, All rights reserved. Do not reproduce without permission.
Real Time Analytics