The Domain Name System (DNS) protocol is one of the most widely used and trusted protocols on the Internet. However, DNS tunneling attacks abuse this protocol to sneak malicious traffic past an organization’s defenses. By using malicious domains and DNS servers, an attacker can use DNS to evade network defenses and perform data exfiltration.
In simple terms, DNS is the phone directory of the Internet. When browsing the Internet, most users prefer to type in the domain or URL of the website that they want to visit (like https://www.checkpoint.com). However, the Internet’s servers and infrastructure use IP addresses to identify the destination of the traffic and route it there.
DNS provides conversions between domain names and IP addresses. It is organized as a hierarchical system with servers for different subdomains. A visitor to the site checkpoint.com would ask a .com DNS server for the IP address of the checkpoint.com DNS server. A second request to this DNS server would then provide the IP address of the server hosting the desired webpage. The user is now able to visit their desired site.
DNS is one of the fundamental protocols of the Internet. Without the lookup services that it provides, it would be nearly impossible to find anything on the Internet. To visit a website, you would need to know the exact IP address of the server that is hosting it, which is impossible. As a result, DNS traffic is some of the most trusted traffic on the Internet. Organizations allow it to pass through their firewall (both inbound and outbound) because it is necessary for their internal employees to visit external sites and for external users to find their websites.
DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.
DNS tunneling attacks are simple to perform, and numerous DNS tunneling toolkits exist. This makes it possible for even unsophisticated attackers to use this technique to sneak data past an organization’s network security solutions.
DNS tunneling involves abuse of the underlying DNS protocol. Instead of using DNS requests and replies to perform legitimate IP address lookups, malware uses it to implement a command and control channel with its handler.
DNS’s flexibility makes it a good choice for data exfiltration; however, it has its limits. Some indicators of DNS tunneling on a network can include:
All of these factors can be benign on their own. However, if an organization is experiencing several or all of these abnormalities, it may be an indication that DNS tunneling malware is present and active within the network.
Protecting against DNS tunneling requires an advanced network threat prevention system capable of detecting and blocking this attempted data exfiltration. Such a system needs to perform inspection of network traffic and have access to robust threat intelligence to support identification of traffic directed toward malicious domains and malicious content that may be embedded within DNS traffic.
Check Point’s next-generation firewalls (NGFWs) provide industry-leading threat detection and network security capabilities. To learn more about Check Point’s solutions and how they can improve your organization’s network security, contact us. You’re also welcome to request a demonstration to see Check Point NGFWs in action.