DNS tunnelling – the new threat to your business

30th November 2017

Gavin Rawson

Gavin Rawson
Technical Lead

The internet is built on the Domain Name System (DNS) protocol. It makes web browsing possible by allowing domain names to be associated with IP addresses. The DNS is one of the oldest protocols on the internet, yet its ubiquity has made it a target for attackers who have increasingly been attempting to exploit its simplicity.

As explored in a blog in March, DNS tunnelling is misuse of the DNS. Using other protocols (i.e. SSH, TCP, HTTP), hackers seek to tunnel through DNS queries and responses for malicious reasons, such as for malware insertion or data exfiltration.

It’s important to note that DNS tunnelling is not a new method of misuse. In fact, it originated as a method to get past captive portals for WiFi and connect to the internet without paying for the service. However, in recent years it has become a method for hackers to siphon data from business networks.

There’s no inherent security or monitoring capability for DNS. As it is a widely-used and well-trusted service, few organisations examine their DNS traffic for suspicious activity. Combined with the fact that there are several, easily available, tunnelling packages that require little technical expertise to use, DNS tunnelling is an appealing avenue for hackers. A report revealed that 40% of business networks show evidence of DNS tunnelling.

The trusted nature of DNS, and the fact that stolen information is hidden through data encoding to mask the activity, means hackers could be extracting valuable customer information and financial details for months without an organisation ever realising. The immediate impact of DNS tunnelling is not always obvious to the business under attack.

Unfortunately, few of the security tools that most businesses use will be configured to defend against DNS attacks. Specialist solutions must be employed to protect organisations against this threat. Fortunately, there are a number of features that businesses can prioritise to ensure they find best solution.

Firstly, any tool must be able to detect attacks coming from preconfigured DNS tunnelling toolkits. There should also be a facility to block known exfiltration destinations so that even a compromised system can be prevented from sending stolen information out of the network.

The right solution should also use real-time analytics to automatically assess both DNS payloads and traffic. Payload analysis can review transaction data to identify specific patterns that might indicate malicious activity. Traffic analysis can scrutinise the volume of DNS traffic, hostnames per domain, location and history to spot suspect behaviour.

Putting the right tool in place is one step towards better protecting the business, but defence against DNS tunnelling mustn’t stop there. It’s crucial that an organisation develops an incident response checklist to enable a quick reaction to contain and mitigate the threat once identified. This involves quarantining the DNS when a threat has been detected and ensuring recursive servers are configured to work as backups.

DNS is one of the building blocks of the internet, but the intrinsic trust that most organisations have in DNS makes it an attractive target for attackers. Many businesses are still unaware of this threat and may not even realise they are being hacked through this method. By acting now to put robust security solutions specifically calibrated for DNS threats in place, hugely damaging leaks may be avoided.