ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

DNS Tunnel

Risk Factors

Even though advanced skills are not required to set up a DNS tunnel, this type of C&C channel is not commonly deployed by attackers. DNS tunnels have rigid requirements that do not allow for large data transfers. However, the presence of a DNS tunnel on your network indicates that an attacker might be conducting a persistent attack. The ultimate objective of a persistent attack, such as data exfiltration, could have a significant impact on a business or organization.

The system might change the risk score for this detection.

Kill Chain

Command-and-Control

Risk Score

56

Next in Command-and-Control: Domain Fronting

Attack Background

DNS is a common protocol that can bypass firewalls and proxy servers when delivering information between a client and server. Typically, a DNS query includes a hostname that needs to be resolved into an IP address. A DNS tunnel is a malicious manipulation of normal DNS services to exchange arbitrary data, such as malware commands or exfiltrated data, between a compromised device and a C&C server. First, the compromised device sends DNS requests and receives DNS responses for subdomains of an attacker-controlled domain. The attacker's server, which acts as the authoritative name server for the malicious domain, sends or receives the arbitrary data. DNS tunnels can help the attacker maintain contact with a compromised device while evading intrusion detection systems.

Legitimate software that submits license checks or file hashes over DNS can cause false positives. As you investigate, look for the combination of suspicious domains and arbitrary data within DNS queries to confirm the presence of a DNS tunnel.

Mitigation Options

Quarantine the potential DNS tunneling client devices and check for other malicious activity

Force all DNS clients to send queries to an internal DNS server that filters or blocks suspicious domains

Report the suspicious domain to threat intelligence platforms, which can help third parties remove malicious domains from the internet

Check suspicious domains for their registration date, because short-lived domains might be malicious

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right