Skip Navigation
BlackBerry Blog

DNS Tunneling: A Guide to Detection and Prevention

DNS tunneling attacks can go on for weeks, even months. Sometimes you won’t realize you’ve been attacked until you discover your data has been exfiltrated, and you’re forced to triage the incident.

As a BlackBerry machine learning (ML) engineer working in the cybersecurity space, it's my job to develop new ways to counter constantly-evolving threat actor tactics, techniques, and procedures (TTPs). DNS tunneling is a particularly sneaky technique that allows bad actors to circumvent most traditional digital defenses, like firewalls. In this article, I will explain what DNS tunneling is, how it works, how to prevent it, and outline some DNS security best practices.

What Is DNS Tunneling?

The Domain Name System (DNS) can be thought of as kind of like the phone book of the internet. It’s a protocol that translates easy-to-understand domain names or URLs written in the user’s native language — into numerical IP addresses that computers use to route traffic to a given destination. This saves users from having to memorize long sets of meaningless numbers; instead, they just need to know the “name” of the website; for example, BlackBerry.com. DNS automatically translates the name of the website entered into the browser into the unique number assigned to the website, or rather the servers the website is hosted on.

The DNS is universally used and trusted by organizations and individuals worldwide. For a long time, the system was not considered a significant security threat, so many organizations did not apply the same level of scrutiny to their DNS traffic as they might do to traffic from other sources. This mindset continues at many organizations today. And it's one of the reasons threat actors frequently employ DNS-based attacks — like the DNS tunneling technique used in ransomware — as an effective and relatively silent mode of attack against company networks.

Watch the video below to learn about DNS tunneling in under 10 minutes.


How DNS Tunneling Works

DNS tunneling abuses the DNS protocol to transmit data over a network without having to make a “live” network connection to an endpoint. At a high level, a DNS tunneling attack has three stages:

  1. The threat actor registers a domain, let’s call it tunnel[.]badactor[.]com. The domain name points to the actor’s command-and-control (C2) server, used for communication and potential data theft, where a tunneling malware program is installed.

  2. The bad actor infects a computer at the target organization with malware, which then encodes the information desired by the attacker. Let’s say the malware’s goal is to transmit a list of users — Alice, Bob, and Eve — as Base64 data. The instructions would just look like strings of characters like this “W2FsaWNlLCBib2IsIGV2ZV0.” Given that DNS requests are rarely blocked by firewalls, the infected computer is allowed to send a DNS request for the domain, which in this example would look like this: “W2FsaWNlLCBib2IsIGV2ZV0.tunnel.badactor.com.”

  3. The DNS resolver — the function that converts domain names into IP addresses — routes the query to the threat actor’s C2 server, where the tunneling program is installed. The data has now been transmitted from the victim back to the threat actor, with the DNS resolver acting as an intermediary between the victim and the threat actor, and the encoded target data is transmitted to the C2 server.

    At this point, the attacker can go on to use this tunnel to exfiltrate more data, which they then use for any number of nefarious purposes — to be sold on the black market, to advance a “double extortion” ransomware attack (where the user’s data is first stolen and then encrypted on the host machine), or even used for purposes of espionage. Since there is no direct connection between the threat actor and victim, the use of DNS tunneling makes it more difficult for defenders to trace the source of the attack.

A typical DNS attack chain
 

DNS Attack Example

For the more technically inclined, this example shows how threat actors may gather and exfiltrate information about local administrators.

  1. Attacker gains access to a machine and gathers user information:


2. The attacker then encodes that information in Base64 format:
 

3. To transmit the data over a DNS tunnel, they split the encoded data into chunks and send DNS requests to a domain they own, using the encoded data as the subdomain:
 

4. The DNS service will attempt to map each subdomain to an IP address, and when it fails to find it in cache, will query badactor[.]com for each address. In this way, the attacker will receive the encoded data. They can then simply decode it to get the information their malware gathered. At no point during this process did the infected machine make a connection to the malware server, nor was any data transmitted over conventional channels. The attacker simply took advantage of the foundational nature of DNS to surreptitiously transmit private information without detection.
 

Why DNS Tunneling Is Hard to Counter With Traditional Defense

DNS tunneling is a real threat to both organizations and private individuals alike, because it can bypass firewalls undetected, leaving traditional security systems clueless. While it is technically possible to block DNS services with a firewall, doing so leads to considerable friction within the organization. Blocking or restricting network traffic can leave users frustrated, unable to access network resources and certain locations on the internet. This can make IT or security leaders look like they are micromanaging or setting up roadblocks to productivity, instead of enabling the business. Since DNS tunneling is both difficult to detect and frustrating to stop with traditional methods, it is a gold mine for bad actors who want to exfiltrate data from their target network without being detected.

Preventing DNS Tunneling

There are several ways to proactively defend against DNS tunneling. One approach is to implement cloud-native zero trust network access (ZTNA). With this in place, everyone and everything connected to your environment must continuously prove themselves trustworthy, or access will be denied. When implemented correctly, this approach is virtually invisible to the end users in an organization.

Another option is to utilize policies and rule settings that are typically tied to either traffic analysis or payload analysis, both of which are practiced methods of DNS monitoring and attack detection. Here are examples of how each approach can mitigate DNS tunneling risk:

  • Traffic analysis uses factors such as how long since a domain was created, the number of requests made from a domain, the geographic region associated with the domain, and the known reputation or perceived risk of a domain to separate normal DNS traffic from malicious behavior.

    Some organizations implement behavioral analytics to automatically identify anomalies, such as new domains being accessed that fall outside the type of sites typically accessed by employees during working hours. IT and security teams can also block domain names, IP addresses, or geolocation regions, based on known reputation or perceived risk. This increases your odds of spotting and stopping an attack.

  • Payload analysis looks at factors such as the length, type, or size of DNS queries, which can help identify suspicious activity. As such, another approach is for IT and security teams to set rules around these factors that apply to both outbound and inbound DNS queries.

  • Many organizations are now leveraging new ZTNA technology. A ZTNA solution such as CylanceGATEWAY™ offers an embedded DNS traffic analysis service. This increases visibility into what’s happening in your environment. Tenant admins can see suspicious activity as either a special zero-day alert type, or as a block, depending on their user configuration settings.

DNS Security Best Practices

Here are some useful strategies to reduce your organization’s risk of becoming a victim of DNS tunneling:

Embrace Zero Trust Principles

Zero trust security approaches combat DNS tunneling attacks through a default “deny” posture that can significantly mitigate this risk, because they treat all users inside and outside the network as potentially hostile.

Threat actors find DNS requests so useful because typically, these types of requests are allowed to move through a firewall. Once a DNS connection is made via a DNS resolver, data exfiltration is possible. However, with zero trust, you can apply an access control list (ACL) policy as an enforcement mechanism. At this point, you may uncover suspicious behavior and indicators of compromise (IoCs). Zero-day issues can also be stopped, blocked and triaged. This includes insider threats attempting data exfiltration, such as an employee secretly trying to copy confidential or proprietary data before moving to another company.

Establish Granular Access Control

The bedrock of network security is access control — the inseparable twin of zero trust. Together, they deliver an identity-and-context-based logical-access boundary. This reduces your organization's attack surface, and bolsters DNS security.

Implement a Threat Intelligence Program

Either set up your own threat intelligence program or subscribe to a threat intelligence service for tailored reports. Educate yourself and your security operations center (SOC) teams about the most prevalent threat actor profiles, as well as the different TTPs they use today. With this knowledge, you and your teams can ensure you have the right policies and technology needed to keep your data safe.

Embrace AI/ML

Gartner predicts that by 2035, 90% of detection, and 60% of responses to cyberattacks, will be handled by artificial intelligence (AI). “The volume and speed of attacks will grow by multiple orders of magnitude, said Gartner Distinguished Analyst and Vice President Andrew Walls. “AI (programs) will classify those attacks and only raise an alert when a predefined threshold is reached, allowing the cybersecurity team to focus on the attacks that matter.” 
 
AI/ML also reduces friction and improves user experience, by speeding detection and automating response with less manual intervention required.

Evaluate Security Posture Continuously

Ascertain security conditions for just-in-time and “just-enough” access, and make sure you can dynamically adjust access control policies whenever there is a change in your cybersecurity posture. Modern cyberattacks constantly evolve, so organizations must evolve as well — in alignment with the organization’s risk appetite. Zero trust also creates an opportunity to better align NetOps, SecOps, and ITOps, since implementation will always be a cross-functional effort.

To learn more about CylanceGATEWAY, please schedule a demo, or click here.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Laura Graves

About Laura Graves

Laura Graves is a Machine Learning Engineer at BlackBerry.