What is DNS?
In simple terms, DNS is the phone directory of the Internet. When browsing the Internet, most users prefer to type in the domain or URL of the website that they want to visit (like https://www.checkpoint.com). However, the Internet’s servers and infrastructure use IP addresses to identify the destination of the traffic and route it there.
DNS provides conversions between domain names and IP addresses. It is organized as a hierarchical system with servers for different subdomains. A visitor to the site checkpoint.com would ask a .com DNS server for the IP address of the checkpoint.com DNS server. A second request to this DNS server would then provide the IP address of the server hosting the desired webpage. The user is now able to visit their desired site.
How does DNS Tunneling Work?
DNS is one of the fundamental protocols of the Internet. Without the lookup services that it provides, it would be nearly impossible to find anything on the Internet. To visit a website, you would need to know the exact IP address of the server that is hosting it, which is impossible. As a result, DNS traffic is some of the most trusted traffic on the Internet. Organizations allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.
DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.
DNS tunneling attacks are simple to perform, and numerous DNS tunneling toolkits exist. This makes it possible for even unsophisticated attackers to use this technique to sneak data past an organization’s network security solutions.
Detecting DNS Tunneling Attacks
DNS tunneling involves abuse of the underlying DNS protocol. Instead of using DNS requests and replies to perform legitimate IP address lookups, malware uses it to implement a command and control channel with its handler.
DNS’s flexibility makes it a good choice for data exfiltration; however, it has its limits. Some indicators of DNS tunneling on a network can include:
- Unusual Domain Requests: DNS tunneling malware encodes data within a requested domain name (like DATA_HERE.baddomain.com). Inspection of the requested domain names within DNS requests may enable an organization to differentiate legitimate traffic from attempted DNS tunneling.
- Requests for Unusual Domains: DNS tunneling only works if the attacker owns the target domain so that DNS requests go to their DNS server. If an organization is experiencing a sudden surge in requests for an unusual domain, it may indicate DNS tunneling, especially if that domain was only created recently.
- High DNS Traffic Volume: The domain name within a DNS request has a maximum size (253 characters). This means that an attacker likely will need a large number of malicious DNS requests to perform data exfiltration or implement a highly-interactive command and control protocol. The resulting spike in DNS traffic can be an indicator of DNS tunneling.
All of these factors can be benign on their own. However, if an organization is experiencing several or all of these abnormalities, it may be an indication that DNS tunneling malware is present and active within the network.
How to Protect Against DNS Tunneling
Protecting against DNS tunneling requires an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration. Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic.
Check Point’s next-generation firewalls (NGFWs) provide industry-leading threat detection and network security capabilities. To learn more about Check Point’s solutions and how they can improve your organization’s network security, contact us. You’re also welcome to request a demonstration to see Check Point NGFWs in action.
