Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
Even though advanced skills are not required to set up a DNS tunnel, this type of C&C channel is not commonly deployed by attackers. DNS tunnels have rigid requirements that do not allow for large data transfers. However, the presence of a DNS tunnel on your network indicates that an attacker might be conducting a persistent attack. The ultimate objective of a persistent attack, such as data exfiltration, could have a significant impact on a business or organization.
The system might change the risk score for this detection.
Category
DNS is a common protocol that can bypass firewalls and proxy servers when delivering information between a client and server. Typically, a DNS query includes a hostname that needs to be resolved into an IP address. A DNS tunnel is a malicious manipulation of normal DNS services to exchange arbitrary data, such as malware commands or exfiltrated data, between a compromised device and a C&C server. First, the compromised device sends DNS requests and receives DNS responses for subdomains of an attacker-controlled domain. The attacker's server, which acts as the authoritative name server for the malicious domain, sends or receives the arbitrary data. DNS tunnels can help the attacker maintain contact with a compromised device while evading intrusion detection systems.
Legitimate software that submits license checks or file hashes over DNS can cause false positives. As you investigate, look for the combination of suspicious domains and arbitrary data within DNS queries to confirm the presence of a DNS tunnel.
Quarantine the potential DNS tunneling client devices and check for other malicious activity
Force all DNS clients to send queries to an internal DNS server that filters or blocks suspicious domains
Report the suspicious domain to threat intelligence platforms, which can help third parties remove malicious domains from the internet
Check suspicious domains for their registration date, because short-lived domains might be malicious
Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.
ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response
Visit this resource for more information.
This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.
Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.
Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.
