DNS Tunneling is a cyber attack method that encodes data from other programs or protocols into DNS queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS server and used to control a remote server and applications. Typically this requires the compromised system to have external network connectivity, since DNS tunneling requires access to an internal DNS server with network access. Hackers must also control a domain and server that can act as an authoritative server to run the server-side tunneling and data payload executables.
Cybercriminals know that DNS is widely used and trusted. Also, because DNS is not designed for data transfer, many organizations do not monitor their DNS traffic for malicious activity. As a result, various types of DNS based attacks can be effective when launched against company networks.
It takes advantage of the fact by using DNS requests to implement a command and control channel for the malware. Incoming DNS traffic can carry commands to the malware, while outgoing traffic can leak sensitive data or provide responses to requests from the malware operator. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look up domain names from websites.
To achieve protection against DNS tunneling, you require an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration. Such a system needs to perform network traffic inspection and have access to robust threat intelligence to support the identification of traffic targeting malicious domains and malicious content that may be embedded in DNS traffic.
Other related topics:
VPNFilter – A serious risk for routers
DNS Poisoning – A Real Danger for DNS Servers
[…] also:DNS Tunneling – A Data Encoder Attack MethodDNS Poisoning – A Real Danger for DNS […]
[…] Also see:DNS Tunneling – A Data Encoder Attack Method […]