What Is DNS Tunneling?
DNS tunneling is a difficult-to-detect attack that routes DNS requests to the attacker's server, providing attackers a covert command and control channel, and data exfiltration path.
DNS is like a phonebook for the internet, helping to translate between IP addresses and domain names. Humans aren't great at remembering long strings of numbers. A web address (like extrahop.com/network-attack-library) is easier to remember and tells you a bit about where you're going. Since web browsers use IP addresses, you need something to translate between the two.
Bad actors use DNS tunneling to get data through firewalls. DNS tunneling encodes command and control (C&C) messages or small amounts of data into inconspicuous DNS responses and queries. Since DNS messages can only contain a small amount of data, any commands must be small and data exfiltration happens slowly. This technique is difficult to detect because DNS is a noisy protocol, making it harder to distinguish a normal host query and normal DNS traffic from malicious activity.
How it works:
- The bad actor has a server running malware on it, with a domain pointing to that server.
- The attacker uses a host they have infected with malware to query for the attacker-controlled domain.
- When the DNS resolver routes the query, it creates a tunnel from the attacker to their target, allowing them to get data, remotely control the host, or otherwise take the next step in the attack chain.
Did the SUNBURST Attack Use DNS Tunneling?
The answer is… complicated. While, clearly, SUNBURST used DNS, the technique leveraged for command-and-control is most commonly understood as being a domain generation algorithm. It did encode data within DNS in order to select targets, but wasn't using DNS as the primary means of command-and-control. Though, there is an interesting argument to be made that SUNBURST was DNS tunneling.
Protection Against DNS Tunneling Attacks
The two primary methods for monitoring DNS and detecting attacks involve payload analysis or traffic analysis. Payload analysis looks at the contents of DNS requests and responses. Factors like the difference between the size of the request versus the response and unusual host names can help identify suspicious activity.
Traffic analysis uses information like the number of requests made, geographic locations, and domain history to separate normal DNS traffic from malicious behavior. For example, network detection and response uses machine learning to establish a baseline for what normal DNS behavior looks like in any given environment, then provides alerts for anomalous behavior that could signify an attack.
Detection of this attack can be enhanced using decryption. The CISA recommends local DNS servers leverage DNS-over-HTTP or DNS-over-TLS to secure internal DNS traffic, decryption of this traffic provides SecOps visibility into potential data exfiltration, command and control, and more. For this reason, it's critical that security tools have decryption capabilities for all common encryption protocols including TLS 1.3 and Kerberos.
DNS Tunneling History
Hijacking DNS was first discussed in the late 1990s, and by 2004 it was widespread enough to be covered at Black Hat by Dan Kaminsky. Kaminsky wrote OzymanDNS, one of the first utilities used for DNS tunneling. There have been many created since, though the central method remains largely the same.
Some common utilities used for DNS tunneling are Iodine (2006), NSTX (2000, Linux only), and DNScat (2010).