Big Fish Critical Network Services – DNS Tunneling: Part 1
Abstract
Learn what DNS Tunneling is, why it’s a bad ide a for both you and your vendors, and how to switch to better solutions that protect your network and data.
Introduction
This is the first part of a four-part series on DNS tunneling. Part one discusses what DNS tunneling is and the associated risks and mitigation strategies. We will dive deeper into more distinct types of DNS tunneling and further into mitigation strategies in upcoming Parts.
DNS tunneling is a sneaky technique that uses the Domain Name System (DNS) as a hidden channel to send and receive data. DNS is the protocol that translates domain names (such as www.google.com) into IP addresses (such as 172.217.14.206) that computers can understand and communicate with. It is like the phone book for the internet, except that you don’t have to flip through pages to find what you’re looking for. DNS queries and responses are usually sent over UDP port 53, which is left open by firewalls and other network security measures, as it is essential for the normal functioning of the internet.
But DNS tunneling is also a big security threat, as it can be exploited for malicious or unauthorized purposes, such as cyberattacks, data theft, or policy violations. DNS tunneling can bypass network security devices and systems, exposing your network and data to serious risks and threats. In this article, I will explain what DNS tunneling is, how it works, why it’s a bad idea for both you and your vendors, and how you can stop it from compromising your network and data security.
How DNS Tunneling Works
DNS is essential for the internet to work, and it uses UDP port 53, which is usually open by firewalls and other network security measures. However, DNS tunneling can also use DNS as a hidden channel to send and receive arbitrary data, such as web pages, files, commands, or keystrokes. The data is divided into small pieces and encoded into the subdomains of a specially crafted domain name, such as a.b.c.d.e.example.com. The domain name is then sent as a DNS query to a DNS server that is either controlled by the sender or a third party. The DNS server decodes the data from the subdomains and either sends back the requested data encoded in the DNS response or sends the data to another destination. The receiver then decodes the data from the DNS response or the destination and reconstructs the original data.
DNS tunneling can create a two-way communication channel between two endpoints, such as a client and a server, or a victim and an attacker. The client can send requests to the server, and the server can send responses or commands to the client, using DNS queries and responses as the medium. The data exchanged over DNS tunneling is usually encrypted, compressed, and obfuscated, to avoid detection and interference by network security devices and systems. In 2014, I discovered a considerable number of queries being sent to a storage vendor. The queries had the telltale signs of DNS tunneling described later in this article. I contacted the vendor and they responded that the data was relaying statistics and status information on their hardware platforms. The data was encrypted, so how did I know they were not sending back data from the drives? And they were violating our enterprise security policies by not documenting the use of DNS tunneling. The department that owned the security plan for the array was not even aware of this, and it wasn’t documented in their security plan. The security plan was updated, and I was told the traƯic was “legitimate”.
I still question that. How can the “legitimate” transfer of data not go through the appropriate data loss prevention tools for the transmission of data outside of an organization? No data classification, no adherence to policies, it still blows my mind to this day.
Why DNS Tunneling is a Security Threat
DNS tunneling can be exploited by both legitimate and malicious actors, depending on their intent and the context. Some of these purposes may be beneficial and legitimate for users and companies, while others may be malicious and harmful, posing security risks and violating enterprise policies. Here are some examples of the security threats that DNS tunneling can pose:
- Accessing blocked websites: DNS tunneling can be used to access websites that are blocked by firewalls, proxies, or censorshipregimes, such as social media, news, or streaming sites. This can be harmful for enterprises that want to enforce network policies and prevent unauthorized or inappropriate access to certain websites, as DNS tunneling can bypass their network security measures and expose their network and data to potential threats.
- Circumventing censorship: DNS tunneling can be exploited to circumvent censorship and surveillance by governments, ISPs, or other entities, which may monitor or manipulate internet traƯic. This can be harmful for enterprises that operate in countries or regions that have strict laws and regulations on internet usage, as DNS tunneling can violate their legal obligations and expose them to legal risks and penalties.
- Providing remote access: DNS tunneling can be exploited to provide remote access to a network or a device, such as a VPN, a shell, or a desktop. This can be harmful for enterprises that want to control and monitor the access to their network and devices, as DNS tunneling can bypass their authentication and authorization mechanisms and expose their network and devices to unauthorized or malicious access.
- Exfiltrating data: DNS tunneling can be exploited to exfiltrate data from a network or a device, such as files, credentials, or keystrokes. This can be harmful for enterprises that want to protect and manage their data, as DNS tunneling can bypass their data loss prevention and encryption systems and expose their data to theft or leakage. This could be from a bad actor like a hacker or even for corporate espionage.
- Command and control: DNS tunneling can be exploited to establish a commandand-control (C2) channel between an attacker and a compromised system, such as a malware, a botnet, or a ransomware. This can be harmful for enterprises that want to detect andremove malicious software from their network and devices, as DNS tunneling can bypass their network security devices and systems and allow the attacker to remotely control, update, or execute the malicious software.
- Phoning home: DNS tunneling can be exploited to send usage and status data from a device to a vendor, such as a hardware, a software, or a service. This can be harmful for enterprises that are required to limit or control the data that is sent from their network and devices, as DNS tunneling can bypass their data protection and compliance systems and expose their data to potential misuse or abuse by the vendors or third parties.
Conclusion
DNS tunneling is a technique that uses DNS as a hidden channel to send and receive data. DNS tunneling can be used for good or bad purposes, depending on the intent and the scenario of the sender and the receiver. However, DNS tunneling can also expose your network and data to serious security risks and policy violations, regardless of the intent or the scenario. Therefore, you should block all DNS tunneling with a product capable of identifying the bad queries from the good queries. You should also stop vendors from relying on DNS tunneling for “legitimate use cases” and require them to use better solutions that follow your network and data policies and standards, and respect your enterprise policies and data confidentiality. You should also be aware of the possibility of DNS tunneling being used for corporate espionage and take measures to prevent and respond to any such attempts.
I hope this article has provided useful and insightful information on DNS tunneling. I encourage you to take action to stop using DNS tunneling and switch to better solutions for your network and data, and to stop vendors from relying on DNS tunneling for ‘legitimate use cases’. If you have any questions, comments, or feedback, please feel free to contact me at mfisher@bigfishcns.com. I would love to hear from you. Thank you for reading. Written By Michael Fisher, Distinguished Engineer, Big Fish Core Network Services.
