DNS tunneling refers to the manipulation of the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.

Overview

An attacker can use DNS requests to implement a command and control channel for malware because organizations allow DNS traffic to pass through their firewalls. Inbound DNS traffic carries commands to the malware so that outbound traffic can exfiltrate data or respond to the malware operator requests, which go to attacker-controlled DNS servers.

Paths

  1. DNS tunneling malware encodes data within a requested domain name, for instance, in the subdomain.
  2. Sudden surges in requests because
  1. the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server
  2. the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.[1]

Hackers Rely on DNS Tunneling

  • OilRig - Unit 42, of Palo Alto Networks, revealed that Iran-linked cyber-espionage group OilRig broadly and persistently uses DNS tunneling across.[2], [3]

References