Home Explainers What is DNS Tunneling and How is it Prevented?

What is DNS Tunneling and How is it Prevented?

In a DNS tunneling attack, hackers use data payloads to compromise the targeted DNS server and gain remote control of the operations.

DNS attacks

Hacker intrusions on organizations’ Domain Name Systems (DNS) have become prevalent in recent times. According to the 2021 Global DNS Threat Report from network security automation solutions provider EfficientIF, nearly 90% of organizations sustained a Domain Name System (DNS) attack last year. Threat actors exploit vulnerabilities in the DNS to access the targeted network systems. Cybercriminals use various hacking tactics to compromise critical digital assets, and one of them is DNS Tunneling.

By Rudra Srinivas, Senior Feature Writer, CISO MAG

DNS is an important protocol that plays a critical role in web browsing and email services. DNS enables applications and service platforms to use domain names (like cisomag.com) rather than IP addresses.

What is DNS Tunneling?

DNS tunneling is a malicious activity leveraged by threat actors to bypass the firewall and tamper with DNS queries and responses protocols. In a DNS tunneling attack, hackers use data payloads to compromise the targeted DNS server and remotely take over operations.

How Does DNS Tunneling Work?

Initially, hackers deploy the malware into DNS queries to create a covert communication channel bypassing security scans. This will enable bad actors with a backchannel to exfiltrate sensitive data from the compromised DNS.

DNS attackers then tunnel protocols like SSH or HTTP in the DNS server and stealthily tunnel IP traffic. DNS tunneling technique allows attackers to transfer files, download additional payloads to the existing malware, and gain complete remote access to the targeted system.

How to Identify DNS Tunneling Attacks

DNS misuse can be identified in two ways:

  1. Payload analysis – Identifying unnecessary or unusual information received by the DNS server. Security admins can look for odd hostnames, a new DNS record type, or unique character sets.
  2. Traffic analysis – Evaluating the number of DNS domain requests received compared to the normal traffic. DNS attackers usually send huge traffic to the compromised DNS server, traffic that is greater than a normal DNS exchange.

How to Prevent DNS Tunneling

  • Keep a close track of suspicious domains and IP addresses from unknown sources.
  • Configure all internal clients to send queries to an internal DNS server to filter any suspicious domains.
  • Always monitor DNS traffic and be vigilant for suspicious domains to mitigate the risks of DNS tunneling.
  • Configure a DNS firewall to identify and prevent any hacker intrusion.
  • Enable real-time DNS solutions that detect unusual queries and patterns on the DNS server.

About the Author

Rudra Srinivas

Rudra Srinivas is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news and feature stories on cybersecurity trends.       

More from the Rudra.