Sciextor

DNS Tunneling

DNS tunneling is a technique that exploits the DNS protocol to tunnel malware and other data through a client-server model.

The attacker registers a domain, such as badsite.com, and infects a computer with malware that sends DNS queries to the attacker’s server, where the data is encoded within the query name.

The attacker can also send commands and data back to the malware by encoding them in the DNS response fields.

This way, the attacker can exfiltrate data or control the infected computer without being detected by firewalls or other network security mechanisms.

Some statistics on DNS Tunnel are

• According to IDC’s 2021 Global DNS Threat Report, 87% of survey respondents have experienced some form of DNS attack in the last 12 months, an 8% increase from the previous year.
• The average cost of a DNS attack was $1.07 million, and the average number of attacks per organization was 9.5. The most common types of DNS attacks were phishing, malware-based DNS tunneling, and DDoS attacks
• DNS tunneling accounted for 34% of all DNS attacks in 2021, up from 25% in 2020
• DNS tunneling was the second most damaging type of DNS attack, after zero-day exploits, with an average cost of $1.27 million per attack
• DNS tunneling was the most difficult type of DNS attack to mitigate, with an average time of 6.83 hours per attack
• DNS tunneling was the most common type of DNS attack in the education sector, affecting 47% of organizations
• DNS tunneling was used by several threat groups, such as DarkHydrus and OilRig, to target government entities and other organizations in the Middle East

What can you do

• Change your DNS settings to use a trusted DNS provider, such as Google Public DNS or Cloudflare DNS. These providers have advanced security features that can detect and block malicious DNS traffic. To change your DNS settings, you can follow the instructions on this page
• Monitor your internet activities and look for any unusual or suspicious DNS requests or responses. You can use tools such as Wireshark or DNSQuerySniffer to capture and analyze your DNS traffic. If you notice any abnormal patterns, such as large amounts of data encoded in DNS queries or responses, or DNS queries to unknown or malicious domains, you may be a victim of DNS tunneling
• Use a DNS firewall or a real-time DNS solution to filter and block unwanted DNS traffic. A DNS firewall is a software or hardware device that can apply rules and policies to your DNS traffic and prevent any unauthorized or harmful DNS queries or responses. A real-time DNS solution is a service that can monitor and analyze your DNS traffic in real time and alert you of any potential DNS attacks. Some examples of DNS firewall and real-time DNS solution providers are Infoblox, Cisco Umbrella, and Heimdal Security