DNS Tunneling
DNS tunneling refers to the manipulation of the DNS protocol to direct malicious traffic past an organization’s defenses. Using malicious domains and DNS servers, an attacker can use DNS to evade network security to exfiltrate data.
Overview
An attacker can use DNS requests to implement a command and control channel for malware because organizations allow DNS traffic to pass through their firewalls. Inbound DNS traffic carries commands to the malware so that outbound traffic can exfiltrate data or respond to the malware operator requests, which go to attacker-controlled DNS servers.
Paths
- DNS tunneling malware encodes data within a requested domain name, for instance, in the subdomain.
- Sudden surges in requests because
- the attacker owns the target domain, and the DNS requests go to the attacker’s DNS server
- the attacker needs many malicious DNS requests to exfiltrate data or implement a command and control attack due to the character limit on domain names.[1]
Hackers Relying on DNS Tunneling
- OilRig - Unit 42, of Palo Alto Networks, revealed that Iran-linked cyberespionage group OilRig began broadly and persistently using DNS tunneling in 2017.[2][3]
- Greenbug - In 2017, Symantec discovered the Greenbug cyberespionage group during its investigation into Shamoon attacks against energy companies in Saudi Arabia in 2012.[4]