DNS Tunneling – What it is & How To Stop it in its Tracks
In 2021, SolarWinds fell prey to a massively stealthy cyberattack that used DNS tunneling to remain undetected for 8 months. SolarWinds is now facing projected losses of roughly $90 million USD directly related to this breach.
What is DNS tunneling, though? How can businesses protect themselves from suffering the same fate as SolarWinds?
DNS tunneling is the practice of inserting malicious code into your network’s daily DNS queries and responses (of which there are many) to avoid detection by antivirus software.
In the coming paragraphs we’ll explain more about DNS protocol, DNS tunneling, the impact of such an attack, and how you can shore up your defenses against DNS tunneling.
All About DNS Protocol & Its Vulnerabilities
Fundamentals of DNS Protocol
DNS stands for Domain Name Services. At its core, DNS protocol consists of the instructions that computers use to retrieve and display websites. DNS queries and responses translate human domain names into language that your computer can understand.
For example, when you type in Facebook.com into your internet browser and hit the enter key, your DNS protocol turns “Facebook.com” into an IP address that your computer recognizes, along with other signals to the server.
Next, your computer goes to that IP address and retrieves the code that makes up Facebook.com. The DNS protocol converts that code into the website you interact with and scroll through.
How DNS Tunneling Exploits DNS Protocol
Now you understand what DNS protocol is and how ubiquitous it is on your network. Let’s break down how DNS tunneling takes advantage of this essential process.
Tunneling in general is a hidden connection that conceals a payload through a network’s basic defenses (antivirus software, firewall, etc). DNS tunneling uses the DNS protocol in order to accomplish that goal.
DNS tunneling attacks begin with hackers registering a domain (EX: evilsite.com). They set up a malicious server that will execute commands and install a tunneling program linked to that server.
The initial infection that opens the door to a DNS tunneling attack can come in a variety of ways. Phishing, social engineering, spam mail, or adware can lead someone to click on/download malware – establishing a connection to the attacker.
Once that connection is established, the hacker takes advantage. They hijack a legitimate DNS request and conceal instructions to their malicious server (via their evilsite.com) within it. Once that connection is made, the DNS tunnel is complete.
The cybercriminal can send payloads of malware, manage apps, or connect to remote servers or networks on the infected device. They can also use the tunnel to exfiltrate any data they deem as valuable.
The Aftermath Of A DNS Tunneling Attack
One of the most dangerous things about a DNS tunneling attack is that a bad actor doesn’t even have to be particularly skilled to pull one off. Tunneling application bundles with instructions are widely available online, so anyone with the cash can execute a tunneling attack.
DNS tunneling has the potential to be devastating for all sizes of businesses because it is difficult to detect. Every second counts in a cyberattack, because the more access the hacker gets, the more data they can exfiltrate. Referring back to the SolarWinds breach from the beginning of this blog, it was completely undetected for eight months.
In that amount of time, the hackers likely mapped SolarWinds’ entire network, compiled massive quantities of personal data, and exfiltrated it. They probably logged on multiple times over those eight months, to steal new data added within that time frame.
This is why the penalties SolarWinds is set to pay are so high. Each person whose data was compromised must be considered, and their cyber insurance premiums have almost certainly skyrocketed. Not to mention the reputational losses the business has experienced.
Recognizing DNS Tunneling Attacks
There are two main indicators of a DNS tunneling attack that your filtering system should be designed to catch:
- Unusual Domain Requests – By design, DNS tunneling programs encode information inside a hacker controlled domain name. If the domain names in DNS requests are reviewed, you’ll get a sense of what domain traffic is typical- and what isn’t.
- An Increase in DNS Traffic Volume – DNS domain requests have a 253 character limit. Anything that hackers attempt to do is usually spread out across many requests.
If you’re seeing high levels of DNS requests to a domain name that is atypical from your usual traffic, your organization may be experiencing DNS tunneling.
How To Prevent DNS Tunneling Attacks
In order to prevent DNS tunneling attacks, you and your cybersecurity team should deploy a DNS filtering system. Building an effective filtering system requires a combination of monitoring tools, education/awareness, and antimalware/antivirus solutions, which we will list below.
- Behavioral Analytics – Using a combination of machine learning and human monitoring, develop an ongoing understanding of DNS traffic on your network. It’s incredibly difficult to pinpoint unusual domain requests if you have no reference point for what is a usual request!
- Employee Education – Your cybersecurity team should be trained to recognize atypical DNS traffic patterns. Give them a blacklist of known malicious domains to refer to. Your entire staff (including yourself) should undergo regular and frequent phishing training (read our article for more info). Recognizing and avoiding social engineering attacks can prevent DNS tunneling attempts from taking hold of your network.
- Software Solutions – In addition to antimalware, antivirus, and firewall technology, you should invest in a DNS specific firewall. This can quickly identify any illegitimate traffic. There are also more DNS specific software solutions that can automate behavioral analytics, provide a DNS proxy, or even store and monitor large swaths of network data.
With these strategies, you’re much more likely to detect any atypical DNS traffic and stop an attack in its tracks. Need help executing any of these strategies? Contact a CloudNexus information security expert here!