What is DNS Tunneling?
by Tina Siering
What is the DNS protocol?
The Domain Name System (DNS) is one of the central protocols on the Internet. The task of this protocol is to convert domain names into IP addresses. It is therefore a service that assigns a particular domain to an IP address and thus to a server, or rather enables the connection.
When browsing the Internet, the function of DNS is clear. For example, if you enter the address www.secion.de in your browser, you will be taken directly to the desired website. However, the web server that hosts secion's content can be reached under a numeric IP address. DNS converts the domain request into the IP and thus enables the connection.
For this to be possible, a link is first created between the IP and the domain name. The so-called DNS servers are responsible for this. These are central components of the infrastructure on the Internet. The DNS servers store these links and thus direct the domain requests on the Internet.
How does DNS tunneling work?
Normally, the request to the DNS server is in a uniform format. At the same time, the requests and responses are very short. The DNS server responds to a domain request with the associated IP address. No other content is included in the requests. The actual communication between the client and the server, for example between a browser and the web server, then runs via a different protocol.
A DNS request therefore involves communication between two computers. Hackers take advantage of this feature: everyone has the option of operating their own web server on the Internet. The configuration of the DNS entries is then the responsibility of the operator of this website, which is hosted under a domain. In DNS tunneling, subdomains in particular are used for the attacks. A subdomain is hierarchically below the top-level domain and is usually set up for subpages or country portals. For example, de.wikipedia.org is the subdomain with German content of wikipedia.org.
With DNS tunneling, a subdomain is now set up to serve as the communication interface for the target. This subdomain has no other function and is not filled with content for the web. Only the DNS record is active, which is set via the top-level domain.
The target system is first infected with malware. These are typically simple Trojans that are hidden for outbound communication. This Trojan then uses the connection to the Internet and sends a request to the hackers' prepared subdomain. This subdomain responds, with the DNS response itself containing manipulated content specified via the subdomain's name. In fact, the name of such a subdomain can be chosen arbitrarily and can, for example, itself be an encoding that the Trojan processes on the target system. Thus, it is already possible to send a hidden communication to the infected system via the name of a subdomain. This is then a tunneled connection for the hidden transfer of data or commands.
For what purposes do hackers use DNS tunneling?
Cybercriminals use DNS tunneling for different purposes. One comparatively simple option is to use tunneling as a signal. As long as the Trojan sends the DNS request on the target system, the hackers know that the system is active and connected to the Internet, and the infection has not been detected by IT security.
It is more dangerous when the attackers use DNS tunneling for targeting a malware. It is possible to send commands through the DNS requests. The malware can be remotely controlled in this way without an active and direct connection between the attackers and the compromised system.
Similarly, hackers also use DNS tunneling to access data on target systems. For example, the malware is able to search for specific data on the hard disk on instructions. The malware then transfers this to the Internet or simply deletes it.
Another possibility is that the hackers use DNS tunneling to download further malware. Instructions can be sent to the malware via communication, which then initiates the download. This way, it is possible to flood the system with more malware, such as ransomware, and cause a lot of damage.
Using DNS tunneling for such attacks is costly but very unobtrusive. Moreover, it is possible that the attackers have only one particular attack technique on the network to begin with. Then they launch a Trojan that sets up DNS tunneling and then initiates further cyberattacks.
Why is DNS tunneling so difficult to detect?
DNS tunneling is a very sophisticated attack vector. The DNS protocol is simple and basically it is not suitable for cyberattacks. At the same time, DNS requests are one of the most normal occurrences and happen in a high number every day. For this reason, there are few security measures that deal with DNS traffic. Therefore, the chance of success for attackers is quite high when they use DNS tunneling for attacks.
Moreover, DNS tunneling creates little evidence of compromise on the infiltrated system. A machine that sends DNS queries is initially completely inconspicuous. As mentioned, all systems that call up a website on the Internet, for example, do so. DNS tunneling itself also does not require any malware on the target computer. Although malware is used in combination with the attack, DNS tunneling is only the second stage. This only begins if the malware has gone undetected in the first stage. The tunneling itself is then very difficult to detect. However, it is in this stage that the actual attack begins, namely the infiltration of data or the further spreading of malware.
What are the defenses against DNS tunneling?
Defense against DNS tunneling is comparatively complex. Classic virus scanners usually do not detect such forms of activity, as no software is used at all. Virus scanners primarily focus on searching for malware that is present on a computer.
Firewall settings also offer no protection against DNS tunneling. This is because all DNS requests travel over the same port. This is UDP and TCP port 53, and if traffic is prohibited on this port, computers on the network will no longer be able to receive DNS requests, which will cause Internet browsing and many network services to stop working.
There are also firewall solutions that have blacklists and block domains as well as IP addresses that are known to host command-and-control servers. However, these blacklists usually only have the known domains. In APTs, however, attackers set up new domains and use unburned IPs. Accordingly, even such systems do not provide sufficient protection, especially against targeted attacks.
An effective defense technique, on the other hand, are systems that actively scan the network. Such solutions for early attack detection access logs and search for conspicuous activities. These logs include the DNS queries of computers and the event logs of routers. These data contain the manipulated or atypical DNS queries that are generated during tunneling.
Attack early detection has the ability to identify such log entries as indications of a cyberattack because they are atypical. These systems constantly scan the network and use artificial intelligence to look for activity that does not match normal traffic or otherwise indicates unauthorized activity. With these features, early attack detection is one of the best defenses against DNS tunneling.
There are also some techniques that focus on analyzing DNS traffic. These are mainly payload and traffic analysis. Payload analysis evaluates what the contents of DNS requests are. The focus here is on atypical content. This includes, for example, modules in the queries such as "TXT", which do not occur in a normal DNS query. A policy can also be introduced if there is an internal DNS server that is used for caching queries. With DNS tunneling, this path is ignored and the infected system sends the DNS requests directly to the attackers' server. However, there are also DNS attacks that run via the internal DNS server and thus also overcome this defense method.
On the other hand, it is promising to introduce another policy that focuses on the length of the queries. An important clue is the length of the host name. Most hosts have comparatively short names, such as secion.de. With DNS tunneling, attackers use the area reserved for the host name in the request to transmit commands. Accordingly, these requests are long. It is possible to implement a policy that highlights hostname requests that are longer than 52 characters. Then IT security is able to check these requests more closely. During a manual check, such strings then stand out immediately, whereas they would otherwise be lost in the mass of log entries.
Traffic analysis focuses on evaluating the volume as well as the IP addresses. In the case of attacks via DNS tunneling, it happens that the number of requests to the hacker's IP address increases excessively. An accumulation of requests to a specific IP address is noticeable. It is also possible to observe the size of the requests. Typical DNS requests are compact and limited to 512 bytes. If, on the other hand, the hackers use the DNS queries to transmit commands, for example to control malware, then the packets exceed the size of 512 bytes. This is also an indication of DNS tunneling.
Conclusion on DNS tunneling and the potential danger
DNS tunneling is one of the more sophisticated tools used by hackers to access foreign networks unnoticed. It is this very point that makes DNS tunneling so dangerous. Hackers like to use this attack vector when they want to remain undetected. This is an indication of targeted attacks that, for example, involve the theft of important data or the preparation of a large-scale attack, such as with ransomware. For this reason, such activities must be taken seriously and IT security needs the appropriate tools to defend against them, such as early attack detection.