If DNS never existed, the internet as we know it would sink into oblivion. The DNS serves as a translation tool for domain name to IP addresses. And there's no doubt that any organization's DNS is bubbling with traffic, often unnoticed by many security analysts. This makes it an attractive vector for a hacker hoping your DNS traffic isn't monitored. While the DNS has been designed to translate domain names, there's a minute amount of data that can be transferred through it that hackers can exploit to launch a DNS tunneling attack.
Let's first start with the basics. DNS traffic is allowed to permeate and flow through perimeter protection solutions, like firewalls, and evade the organization's defenses. It provides the perfect channel for hackers to establish a virtual tunnel, which is basically a connection that contains a malicious payload in the form of commands or tiny bits of data. The DNS isn't really a data transmission protocol, but sophisticated hackers can leverage it to transmit destructive data between the victim's system and the attacker's server.
A DNS tunneling attack depends on the client-server model of accessing resources.
DNS tunneling is not the easiest attack to detect. You can't just apply detection logic and expect surefire results at spotting its occurrence.
But there are a couple of near-fire ways that alert you to a DNS tunnel attack.
Unusual domain name requests: The domain names to the C&C servers are usually random like "asdggj.com" or "12.345.672.hujist.com". If such domain names are encountered in the logs, they should be immediately blacklisted. Also, top-level domain names, such as .tk and .ru, are suspicious and should be checked for malicious activity.
Abnormal volume of DNS: When a large number of DNS queries are sent in a short span of time to domains with unusual names, it is a sure sign of malicious activity. If these queries occur at odd hours, it's possible that the querying systems are infected. If you utilize a UEBA system in your security strategy, you could establish a baseline to determine DNS traffic during a typical day. After that, any spike in DNS volumes, and above a certain threshold (likes twice the normal volume), could be a great way to spot DNS tunnels in your network. This is because DNS tunnels can only transmit small amounts of data at a time through the query. A hacker would have to use several queries to run commands, or to exfiltrate data, thereby leading to a spike in query volumes.
DNS tunneling isn't an attack where you can pinpoint its presence by relying on detection mechanisms or correlation rules. Rather, your team will have to use manual threat hunting methods based on the indicators of compromise we discussed above.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.