4 strategies to help reduce the risk of DNS tunneling

Domain name system (DNS) tunneling is a pervasive threat that enables hackers to get any data in and out of a company’s internal network while bypassing most firewalls. The domain name system translates numeric internet protocol addresses that browsers can then use to load web pages — threat actors use tunneling to exploit this process and steal data by hiding it inside DNS traffic.

Most DNS attacks focus on spoofing or misdirection, where an attacker either feeds false information to DNS servers or convinces other systems to query a hostile DNS server instead of a legitimate one. But DNS tunneling essentially smuggles hostile traffic through DNS ports, which makes these attacks difficult to detect and mitigate.

“Attacks that exploit weaknesses in DNS can misdirect other systems to connect to or mistakenly trust hostile systems, all without exploiting conventional vulnerabilities like missing patches or misconfigurations,” says Jacob Ansari, PCI practice leader at global audit, tax, and advisory firm Mazars.

Most DNS attacks arise because the original DNS protocol, dating from the earliest days of the internet, did not have security functions, such as authenticity or integrity. That can give cybercriminals a conduit to abuse necessary network services such as DNS, to exfiltrate data instead of stealing it directly from a network, says Tim Shimeall, a senior member of the technical staff with the CERT network situational awareness group at Carnegie Mellon Software Engineering Institute.

“This abuse is challenging to detect since it is mixed with the expected and required uses of these services — the hiding in the crowd approach,” he says. “By applying network monitoring tools and building familiarity with the expected and required uses, the challenge of detecting abuse becomes more achievable.”

Here are four strategies to identify and reduce the risk of DNS tunneling:

Combine technical and human solutions

Organizations should look to both human and technical solutions to deal with DNS tunneling, says Terrence O’Connor, assistant professor of computer engineering and sciences and cybersecurity program chair at the Florida Institute of Technology. From a personnel standpoint, organizations can establish internal, proactive threat-hunting groups.

Such groups can improve threat detection and response times, analyzing network traffic logs to identify anomalies or developing signatures based on historical attacks and tools. Further, the group can inform network defenders about emerging attack technologies and how they uniquely leverage DNS for malicious purposes.

From a technical standpoint, companies can enable security mechanisms that defeat DNS tunneling. For example, organizations may employ the DNS Security Extensions (DNSSEC), a security mechanism that requires cryptographic validation of DNS messages, O’Connor says. “While no approach is perfect, combining both human and technical solutions can largely defeat most DNS tunneling attack approaches.”

The best approach is a defense-in-depth solution that combines technical aspects with the upskilling of a security team so they can perform manual analysis if the tools raise any alerts, says David Maynor, director of the Cybrary threat intelligence group.

“To identify DNS tunneling, organizations should implement tools that provide deep-packet inspection and can view and analyze DNS packets,” he says. “Rules can then be applied to detect fields that violate the request for comments standard.”

Another method is anomaly-based network analysis with which network flow is analyzed for abnormal behavior, Maynor says. For example, a workstation suddenly sending DNS traffic out of the network to seemingly random DNS servers would be a big red flag. Security teams can then respond to the alerts raised by the tools regarding these issues.

Monitor Internet activities

DNS service is a perfect choice and target for attackers due to the sensitivity of this service, so it’s important for organizations to rigorously monitor and alert their DNS services for unusual activities, says Izzat Alsmadi, associate professor in the Department of Computing and Cyber Security at Texas A&M University-San Antonio.

One way of doing this is to actively monitor internet activities and block IP addresses known to create such issues, Alsmadi says. “This is a general blacklisting approach, but it is generally hard to accommodate all possible attackers, hence it’s important to include rules that alert for strange or unusual DNS queries.”

Hardening local clients and ensuring users know to avoid phishing campaigns is also important as most DNS attacks start by exploiting a local trusted client or computer, Alsmadi says.

Dan Petkevich, founder and CEO of Fair Square Medicare, says his company leverages technology to help older adults find insurance that best fits their healthcare needs. Because of the high level of personal data involved in the business, Fair Square Medicare is sensitive to the risks of DNS tunneling. He says one of the most practical methods to prevent DNS tunneling is by continuously monitoring the kind of traffic frequenting a company’s system.

“This allows you to detect any suspicious activity from its inception and block its access to the network before the damage is done,” Petkevich says. “When I’m searching the web, I typically use sites with HTTPS protocols over HTTP because they’re more secure against these attacks. As a business owner, it’s crucial that your web developer includes the HTTPS protocol in your site. These days, even Google is aware of the high risk of DNS tunneling, and so it tends to warn surfers if a site isn’t well-equipped to protect their data.”

Ensure third parties fix misconfigurations in their DNS servers

Some DNS attacks involve denial-of-service (DoS) attacks or distributed denial-of-service (DDoS) attacks, where an attacker sends a large number of hostile DNS queries that can overwhelm DNS infrastructure and cause what amounts to internet outages at the victim organizations, Ansari says.

Some of these attacks make use of third-party DNS servers to respond to the victim organizations’ DNS servers. “The solution for these attacks is to get the other parties to fix misconfigurations in their DNS servers. As such, this can be difficult to resolve if those parties are uncooperative or suborned by the attacker,” Ansari says. “If third parties aren’t adhering to good DNS security practices, include that in negotiations for contract renewal and third-party risk management efforts.”

Employee training

Because of the many different legitimate uses of DNS, it’s hard to tell if the data fields in the requests and responses are valid, according to Maynor. “Attackers capitalize on the complexity and trusted and required nature of DNS by crafting their own seemingly real-looking DNS traffic with data in the fields,” he says. “This gives an attacker inside a network the ability to exfiltrate data in a way that looks legitimate to the casual user.”

Consequently, to keep systems protected against DNS tunneling, companies must conduct regular employee training programs on phishing, malware, and DNS tunneling attacks, says Ihab Shraim, chief technology officer at CSC Digital Brand Services. Employees who recognize and avoid social engineering attacks can prevent DNS tunneling attempts.

Organizations should also train cybersecurity teams to recognize DNS traffic patterns that are not typical. Implementing machine learning techniques on DNS traffic can help security teams detect anomalies in patterns.