Discover how hackers exploit your DNS tunnels

If DNS never existed, the internet as we know it would sink into oblivion. The DNS serves as a translation tool for domain name to IP addresses. And there's no doubt that any organization's DNS is bubbling with traffic, often unnoticed by many security analysts. This makes it an attractive vector for a hacker hoping your DNS traffic isn't monitored. While the DNS has been designed to translate domain names, there's a minute amount of data that can be transferred through it that hackers can exploit to launch a DNS tunneling attack.

What is a DNS tunneling attack?

Let's first start with the basics. DNS traffic is allowed to permeate and flow through perimeter protection solutions, like firewalls, and evade the organization's defenses. It provides the perfect channel for hackers to establish a virtual tunnel, which is basically a connection that contains a malicious payload in the form of commands or tiny bits of data. The DNS isn't really a data transmission protocol, but sophisticated hackers can leverage it to transmit destructive data between the victim's system and the attacker's server.

How is the attack tunnel set up?

A DNS tunneling attack depends on the client-server model of accessing resources.

• The hacker begins by creating a malicious domain with the domain name directing traffic to the hacker's server.
• The hacker compromises a system on the target organization's network. Since DNS queries can cross through the firewall without looking suspicious, the DNS resolver, a server that assists in the domain name to IP translation process, can easily be contacted.
• The DNS resolver directs the query to the attacker's server where the tunneling program exists, and a channel is now created between the victim's system and the hacker's server, known as the Command and Control servers (C&C servers). This how Command and Control communication takes place. Since these communications are being routed through the DNS resolver, it's difficult to track commands and small packets of data being transferred through the tunnel.

DNS tunneling is not the easiest attack to detect. You can't just apply detection logic and expect surefire results at spotting its occurrence.

But there are a couple of near-fire ways that alert you to a DNS tunnel attack.

1. Unusual domain name requests: The domain names to the C&C servers are usually random like "asdggj.com" or "12.345.672.hujist.com". If such domain names are encountered in the logs, they should be immediately blacklisted. Also, top-level domain names, such as .tk and .ru, are suspicious and should be checked for malicious activity.

2. Abnormal volume of DNS: When a large number of DNS queries are sent in a short span of time to domains with unusual names, it is a sure sign of malicious activity. If these queries occur at odd hours, it's possible that the querying systems are infected. If you utilize a UEBA system in your security strategy, you could establish a baseline to determine DNS traffic during a typical day. After that, any spike in DNS volumes, and above a certain threshold (likes twice the normal volume), could be a great way to spot DNS tunnels in your network. This is because DNS tunnels can only transmit small amounts of data at a time through the query. A hacker would have to use several queries to run commands, or to exfiltrate data, thereby leading to a spike in query volumes.

DNS tunneling isn't an attack where you can pinpoint its presence by relying on detection mechanisms or correlation rules. Rather, your team will have to use manual threat hunting methods based on the indicators of compromise we discussed above.