Domain name systems or DNS is a protocol that translates URLs into IP addresses. DNS tunneling is a type of cyber-attack launched against company networks that encodes the data of other programs through a client-server model. It is a misuse of DNS. A DNS server links the twelve-digit IP addresses with the domain name, the tunneling is an attempt to seize the protocol. There should be external network connectivity, and access to an internal DNS server with network access for it to work. A DNS determines how we share information online, but it is vulnerable in terms of security. Hackers use DNS as an established route to data-stealing for malicious purposes. Hackers use DNS tunneling to own a network. It has been around for almost 20 years. Morto and Feederbot malware have been used for DNS tunneling. In tunneling, hackers use the established pathway of DNS to gain confidential information of the company for malicious purposes. Often, email addresses serve as a valuable source for data breaching.

How does DNS Tunneling work?

The attacker initially acquires a fake domain name and then installs a tunneling program that is directed towards its server. The hacker easily contaminates the computer because the DNS requests are always allowed to move in and out of the firewall. The DNS resolver then gives the query to the fake domain server of the attacker, where the tunneling program is installed. The tunnel is used to extract data for malicious purposes. With the help of the DNS resolver, there is a route established between the company networks and the attacker. It is difficult to track the hacker’s computer as there is an indirect connection.

Preventive measures for DNS Tunneling

  • The tool should be designed such that it identifies both, more complex data extraction techniques and attacks based on preconfigured toolkits.
  • To avoid the possession of data, a tool must be installed that blacklists the destinations which are to extract data. This activity must be done on a regular basis.
  • A DNS firewall should be configured and designed such that it quickly identifies any intrusion. A firewall serves as a pathway for exfiltration.
  • Users will make more viable security decisions when a DNS solution provides real-time analytics that examines any unusual queries and patterns. Tracking the state of the network by the DNS protected solution is more efficient.

Tools to Prevent & Detect DNS Tunneling:

The DNS tools should be able to track any harmful queries or activities and prevent it immediately. Detection is only a part of the scrutiny process. The tool should be designed as such to eliminate any abnormal patterns.

TunnelGuard

This tool is introduced by Secure64. TunnelGuard is an on-box security service that identifies and blocks the DNS tunnels using behavioral analytics that are comprehensive in nature. Only after a few DNS queries, the TunnelGuard enables the detection before any damage is caused.

Zscaler

The Zscaler service provides a DNS proxy. This proxy can be utilized as a firewall to DNS traffic. All the traffic that goes by this proxy firewall is tracked by the service. These logs are processed and sent to the DNS tunneling detection engine. The detector uses advanced analytics to identify the risks. When the hostname is detected the information is transferred to Zscaler Enforcement Nodes (ZENs) which then gets acted upon as per your policies.

Splunk

It keeps track of a large volume of data which can be used to analyze & detect the malicious users on networks.