Why you should pay attention to DNS tunneling

BY Ben Ball

What is DNS tunneling?

DNS tunneling is a way of transmitting information through the protocol which usually resolves network addresses. 

Here's how DNS tunneling works. A normal domain name system query only contains the information necessary to communicate between two devices. DNS tunneling inserts an unrelated stream of data into that pathway. It establishes a form of communication which bypasses most filters, firewalls, and packet capture software. 

DNS tunneling moves data across a network in a way that makes it appear as public information, when in fact it is private. This form of secure movement allows the data to pass through the network unnoticed via a process called encapsulation. In short, it's like a VPN connection through the DNS protocol.

Is this a security risk?

DNS is often left open and unmonitored. Some network administrators believe that they've got Port 53 covered with their firewall, and take no further action.

Knowing this, malicious actors increasingly use DNS tunneling to their advantage. They skirt standard cybersecurity protections by communicating through what looks like a background operational channel. There are plenty of DNS tunneling tools like Iodine which can be used right off the shelf. Most techniques are not particularly stealthy. When no one’s looking, they don’t have to be.

Malicious actors use this tactic in many ways. They can establish command and control, using DNS tunneling to hide the “beaconing” to outside assets which most filters and firewalls would notice. Data exfiltration can also take place through DNS tunneling attacks, resulting in compromised systems and data. In these cases, information is often broken up into smaller pieces, moved out through DNS, and re-assembled on the other end. 

How to detect DNS tunneling

How can DNS tunneling be detected? The queries themselves often provide clues.

Standard DNS queries are usually quite simple – they consist primarily of a domain and subdomain. When tunneling is used, on the other hand, malicious actors usually attempt to put as much data into the communication channel as possible. Querying for text records, which are not commonly used by a typical client, may be helpful in identifying tunneling activity.

It’s important to note that tunneling often includes of a series of queries from the DNS server – each one different from the next. The unique nature of these queries is designed to increase the chances of getting through. Records with long strings of unique characters, long labels, and long hostnames are almost always DNS tunneling.

Friend or foe?

DNS tunneling has legitimate uses. Many anti-virus software providers use it as a way to update malware profiles in the background, for example.

Apart from these known use cases, however, DNS tunneling is usually a tip-off that something may not be right.

Other patterns in DNS data can indicate whether the tunneling is a sign of malicious activity. When administrators notice a lot of DNS requests at once, this often indicates that DNS tunneling is being used for malicious purposes. For example, an abnormal pattern of DNS activity to a single IP address, or multiple requests and response pairs over time.

The key is to pay close attention to DNS data. Questions you need to consider are:

  • What does the volume of DNS traffic and number of hostnames per domain say about what’s happening on your network?
  • What can the domain history tell you about network activity?
  • Have DNS queries jumped to a part of the world where your organization has no business or other connections?
  • Does the device making those connections have any business doing so? Or is it a single-use IoT device?

Taking action on malicious activity

Since DNS is not intended for data transfer, it can easily be taken hostage and used for malicious communication. If undetected, DNS tunneling can pose a significant risk to your enterprise. There are solid clues to follow to determine if your DNS is being held hostage. 

You just have to pay attention.  At a basic level, that means having an organized system to collect, monitor, and take action on DNS data in the first place. If you have a decentralized system for DNS management, then you're going to have a hard time detecting any kind of activity. Microsoft, BIND, or a homegrown solution make detection a real challenge.

Thankfully, there’s BlueCat's Intelligent Security. The powerful tool monitors your DNS traffic and block DNS tunneling before it wreaks havoc on your network. Learn more about BlueCat’s Intelligent Security and its ability to shut down malicious DNS tunneling.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball