What is DNS tunneling?
DNS tunneling is a way of transmitting information through the protocol which usually resolves network addresses.
A normal DNS query only contains the information necessary to communicate between two devices. DNS tunneling inserts an unrelated stream of data into that pathway, establishing a form of communication which bypasses most filters, firewalls, and packet capture software.
DNS tunneling moves data across a network in a way that makes it appear as public information, when in fact it is private. This form of secure movement allows the data to pass through the network unnoticed via a process called encapsulation. In short, DNS tunneling is like a VPN connection through the DNS protocol.
Is DNS tunneling a security risk?
DNS is often left open and unmonitored. Some network administrators believe that they've got Port 53 covered with their firewall, and take no further action. Knowing this, malicious actors increasingly use DNS tunneling to their advantage, skirting standard cybersecurity protections by communicating through what looks like a background operational channel. There are plenty of DNS tunneling tools like Iodine which can be used right off the shelf. Most DNS tunneling techniques are not particularly stealthy. When no one’s looking, they don’t have to be.
Malicious actors use DNS tunneling in many ways. They can establish command and control, using DNS tunneling to hide the “beaconing” to outside assets which most filters and firewalls would notice. Data exfiltration can also take place through DNS tunneling. In these cases, information is often broken up into smaller pieces, moved out through DNS, and re-assembled on the other end.
How to detect DNS tunneling
How can DNS tunneling be detected? The queries themselves often provide clues.
Standard DNS queries are usually quite simple – they consist primarily of a domain and subdomain. DNS tunneling, on the other hand, usually attempts to put as much data into the record as possible. Querying for text records, which are not commonly used by a typical client, may be helpful in identifying DNS tunneling activity.
It’s important to note that in DNS tunneling, patterns often include of a series of queries – each one different from the next. The unique nature of these queries is designed to increase the chances of getting through. Records with long strings of unique characters, long labels, and long hostnames are almost always DNS tunneling.
Friend or foe?
DNS tunneling has legitimate uses. Many anti-virus software providers use DNS tunneling as a way to update malware profiles in the background, for example.
Apart from these known use cases, however, DNS tunneling is usually a tip-off that something may not be right.
Other patterns in DNS data can indicate whether the tunneling is malicious. When administrators notice a lot of DNS requests at once, an abnormal pattern of DNS activity, or multiple requests and response pairs over time, this often indicates that DNS tunneling is being used for malicious purposes.
The key is to pay close attention to DNS data. What does the volume of DNS traffic, number of hostnames per domain, and domain history say about what’s happening on your network? Have DNS queries jumped to a part of the world where your organization has no business or other connections? Does the device making those connections have any business doing so, or is it a single-use IoT device?
Taking action on DNS tunneling
Since DNS is not intended for data transfer, it can easily be taken hostage and used for malicious communication. If undetected, DNS tunneling can pose a significant risk to your enterprise. There are solid clues to follow to determine if your DNS is being held hostage. You just have to pay attention.
Thankfully, there’s DNS Edge – a powerful tool to monitor your DNS traffic and block DNS tunneling before it wreaks havoc on your network. Learn more about BlueCat’s DNS Edge and its ability to shut down malicious DNS tunneling here.